In Kubernetes v1.8.x-v1.14.x, schema info is cached by kubectl in the location specified by –cache-dir (defaulting to $HOME/.kube/http-cache), written with world-writeable permissions (rw-rw-rw-). If –cache-dir is specified and pointed at a different location accessible to other users/groups, the written files may be modified by other users/groups and disrupt the kubectl invocation.
Weakness
The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Kubernetes | Kubernetes | 1.8.0 (including) | 1.14.1 (including) |
| Red Hat OpenShift Container Platform 3.11 | RedHat | atomic-openshift-0:3.11.161-1.git.0.4ccbe25.el7 | * |
| Red Hat OpenShift Container Platform 4.1 | RedHat | openshift-0:4.1.24-201911080309.git.0.c41acf2.el7 | * |
| Red Hat OpenShift Container Platform 4.1 | RedHat | openshift4/ose-cli:v4.1.24-201911120311 | * |
Potential Mitigations
Related Attack Patterns
References
- http://www.securityfocus.com/bid/108064
- https://access.redhat.com/errata/RHSA-2019:3942
- https://access.redhat.com/errata/RHSA-2020:0020
- https://access.redhat.com/errata/RHSA-2020:0074
- https://github.com/kubernetes/kubernetes/issues/76676
- https://security.netapp.com/advisory/ntap-20190509-0002/
- http://www.securityfocus.com/bid/108064
- https://access.redhat.com/errata/RHSA-2019:3942
- https://access.redhat.com/errata/RHSA-2020:0020
- https://access.redhat.com/errata/RHSA-2020:0074
- https://github.com/kubernetes/kubernetes/issues/76676
- https://security.netapp.com/advisory/ntap-20190509-0002/