PT-2017-11019 · Microsoft · Kubernetes Azure Cloud Provider
Brandon Philips
·
Published
2017-09-14
·
Updated
2017-09-29
·
CVE-2017-1002100
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Kubernetes Azure cloud provider versions 1.6.0 through 1.6.5
Description
The issue concerns the default access permissions for Persistent Volumes (PVs) created by the Kubernetes Azure cloud provider. These permissions are set to "container", which exposes a URI that can be accessed without authentication on the public internet. Access to the URI string requires privileged access to the Kubernetes cluster or authenticated access to the Azure portal.
Recommendations
For versions 1.6.0 through 1.6.5, consider restricting access to the exposed URI to prevent unauthorized access until a fix is available. As a temporary workaround, limit privileged access to the Kubernetes cluster and authenticated access to the Azure portal to minimize the risk of exploitation.
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Kubernetes Azure Cloud Provider