CVE-2020-8557 Vulnerability Notice
The Huawei Cloud CCI team noticed the Kubernetes security vulnerability CVE-2020-8557 on July 22. After detailed analysis, it is found that the vulnerability has no impact on users and CCI services, and does not need to be handled.
Vulnerability Details
Kubernetes officially released the security vulnerability CVE-2020-8557, with CVSS rating of Medium (5.5) CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/CR:H/IR:H/AR:M.
Vulnerability brief: The eviction manager of kubelet does not manage the temporary storage usage of the /etc/hosts file mounted to pods. Attackers can use this vulnerability to write a large amount of data to the /etc/hosts file, which fills the storage space of a node and causes denial of service.
Reference link: https://github.com/kubernetes/kubernetes/issues/93032
How Do I Determine Whether a Vulnerability Is Involved?
- kubelet v1.18.0–v1.18.5
- kubelet v1.17.0–v1.17.8
- kubelet versions earlier than v1.16.13
Vulnerability Analysis Results
The CCI service is not affected by this vulnerability. The reasons are as follows:
- CCI workloads are deployed on clusters of Kubernetes v1.15 and run Kata containers. The hosts file on the nodes is not directly mounted to the containers. Therefore, nodes will not be attacked.
- Service containers of different tenants are completely isolated. Malicious users cannot access containers of other users.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot