IBM Cloud Container Service is affected by the following vulnerabilities which in some cases allow unauthorized access to the file system on the cluster worker nodes, including deletion of arbitrary files and directories. This document describes the issues and mitigations. It also describes how to check if your clusters are affected and what remedial action to take.
Exploitation of the issues is only possible for an authenticated user who has permission to deploy pods into the cluster. Other mitigations are described below.
CVEID:CVE-2017-1002101**
DESCRIPTION: *Kubernetes could allow a remote attacker to obtain sensitive information, caused by using subpath volume mounts with any volume type. A remote authenticated attacker could exploit this vulnerability to access files/directories outside of the volume, including the hostโs filesystem.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/140496 for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
CVEID:CVE-2017-1002102**
DESCRIPTION: *Kubernetes could allow a local authenticated attacker to delete arbitrary files from the system, caused by a flaw in the container which using a secret, configMap, projected or downwardAPI volume. An attacker could exploit this vulnerability to delete arbitrary files or directories from the system.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/140466 for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H)
IBM Cloud Container Service clusters using Kubernetes versions 1.7.4, 1.8.8, 1.9.3 or earlier.
Customers must upgrade the affected clusters to Kubernetes versions 1.7.16, 1.8.11, 1.9.7 (or later) when these versions are released by IBM. Refer to https://console.bluemix.net/docs/containers/cs_versions.html for more information about Kubernetes versions.
Run bx cs kube-versions to check which Kubernetes versions the IBM Cloud Container Service has released.
When the updated Kubernetes versions are released, refer to https://console.bluemix.net/docs/containers/cs_cluster_update.html for instructions to update Kubernetes in your clusters.
Exploitation of these issues is only possible for an authenticated user who has permission to deploy pods into the cluster.
To prevent exploitation of the issue: