From 1d7c06454aa5039eeb2893a08b60297406cd9968 Mon Sep 17 00:00:00 2001
From: Archana Shinde <archana.m.shinde@intel.com>
Date: Wed, 18 Nov 2020 09:54:59 -0800
Subject: [PATCH 1/3] VMT: add KCSA for CVE-2020-28914

We have fixed them and put the fix in a release. Let's
make the announcement.

Fixes: #187

Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
---
 VMT/KCSA/KCSA-CVE-2020-28914.md | 71 +++++++++++++++++++++++++++++++++
 1 file changed, 71 insertions(+)
 create mode 100644 VMT/KCSA/KCSA-CVE-2020-28914.md

diff --git a/VMT/KCSA/KCSA-CVE-2020-28914.md b/VMT/KCSA/KCSA-CVE-2020-28914.md
new file mode 100644
index 0000000000..115974cf87
--- /dev/null
+++ b/VMT/KCSA/KCSA-CVE-2020-28914.md
@@ -0,0 +1,71 @@
+announcement-date: 2020-11-17
+
+id: KCSA-CVE-2020-28914
+
+title: Kata Containers Improper file permissions for read-only volumes
+
+description: An improper file permissions vulnerability affects Kata Containers 
+prior to 1.11.5. When using a Kubernetes host-path volume and mounting 
+either a file or directory into a container as readonly, the file/directory 
+is mounted as read-only inside the container, but is still writable inside 
+the guest. For a container breakout situation, a malicious guest can 
+potentially modify or delete files/directories expected to be read-only.
+
+affected-components:
+
+  - components: `kata-runtime`
+    version: Before v1.11.5
+
+vulnerabilities:
+
+  - CVE-ID: CVE-2020-28914
+
+reporters:
+
+  - name: `Alex Chapman`
+    affiliation: Independent Researcher
+    reported:
+      - CVE-2020-28914
+
+issues:
+
+  links:
+    - https://github.com/kata-containers/runtime/issues/3041
+    - https://github.com/kata-containers/kata-containers/issues/1061
+
+ reviews:
+
+  v2.0.0:
+    - https://github.com/kata-containers/kata-containers/pull/1062
+
+  v1.12.0:
+    - https://github.com/kata-containers/runtime/pull/3048
+
+  v1.11.5:
+    - https://github.com/kata-containers/runtime/pull/3051
+
+  type: GitHub
+
+reproduce:
+
+  - When using a Kubernetes host-path volume and mounting either a file or
+    directory into a container with read-only: true, the file/directory is 
+    mounted as read-only inside the container, but is still writable inside 
+    the guest (but outside of the container).
+
+    In case a container breakout were to occur, a malicious guest will be able to
+    modify or delete files and directories that are expected to be read-only inside
+    the guest.
+    1. Start a pod with a host-path volume passed as read-only to a container within the pod.
+    2. Start a debug shell to get root access within the guest and attempt
+       to write to the read-only volume shared with the guest under 
+       `/run/kata-containers/shared/sandboxes/{pod-id}/{volume}/`
+    3. Though the volume is not writable within the container, the guest will be 
+       able to write to the volume or even delete it.
+
+notes:
+
+  - If the read-only files/directories are shared across multiple 
+    pods on the same node, other pods will be able to see the modified/deleted files/directories.
+    This vulnerability has been fixed in releases 1.12.0, 1.11.5 and 2.0 branch.
+

From d02f43c5bb3f59ffc6f490c5534499c4faf4a8f2 Mon Sep 17 00:00:00 2001
From: Archana Shinde <archana.m.shinde@intel.com>
Date: Wed, 18 Nov 2020 11:07:31 -0800
Subject: [PATCH 2/3] docs: List KCSAs in reverse date order

We mentioned in the KCSA doc, that the advisories are listed
in reverse date order, but the advisories themselves are listed
in chronological order.
Change the order as it makes sense to list the most recent
KCSA first.

Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
---
 VMT/KCSA.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/VMT/KCSA.md b/VMT/KCSA.md
index 3aedc2fa29..d67bdedf54 100644
--- a/VMT/KCSA.md
+++ b/VMT/KCSA.md
@@ -6,8 +6,8 @@ This table is in reverse date order.
 
 | KCSA                                             | Description                  |
 | ------------------------------------------------ | ---------------------------- |
-| [KCSA-CVE-2019-5736](KCSA/KCSA-CVE-2019-5736.md) | runc container breakout      |
-| [KCSA-CVE-2020-2024](KCSA/KCSA-CVE-2020-2024.md) | improper link resolution vulnerability |
-| [KCSA-CVE-2020-2025](KCSA/KCSA-CVE-2020-2025.md) | Cloud Hypervisor guest image persists vulnerability |
 | [KCSA-CVE-2020-2023](KCSA/KCSA-CVE-2020-2023.md) | Execution with Unnecessary Privileges |
 | [KCSA-CVE-2020-2026](KCSA/KCSA-CVE-2020-2026.md) | Improper Link Resolution Before File Access |
+| [KCSA-CVE-2020-2024](KCSA/KCSA-CVE-2020-2024.md) | improper link resolution vulnerability |
+| [KCSA-CVE-2020-2025](KCSA/KCSA-CVE-2020-2025.md) | Cloud Hypervisor guest image persists vulnerability |
+| [KCSA-CVE-2019-5736](KCSA/KCSA-CVE-2019-5736.md) | runc container breakout      |

From 52f659b51f64422f12cf4f9b7d658ea40953ad2e Mon Sep 17 00:00:00 2001
From: Archana Shinde <archana.m.shinde@intel.com>
Date: Wed, 18 Nov 2020 11:17:59 -0800
Subject: [PATCH 3/3] kcsa: Add entry to newly added KCSA

Add mention of KCSA for CVE-2020-28914 to the list of KCSAs

Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
---
 VMT/KCSA.md | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/VMT/KCSA.md b/VMT/KCSA.md
index d67bdedf54..faec5e5620 100644
--- a/VMT/KCSA.md
+++ b/VMT/KCSA.md
@@ -4,10 +4,11 @@ This page lists all previously published Kata Containers Security Advisories (KC
 
 This table is in reverse date order.
 
-| KCSA                                             | Description                  |
-| ------------------------------------------------ | ---------------------------- |
-| [KCSA-CVE-2020-2023](KCSA/KCSA-CVE-2020-2023.md) | Execution with Unnecessary Privileges |
-| [KCSA-CVE-2020-2026](KCSA/KCSA-CVE-2020-2026.md) | Improper Link Resolution Before File Access |
-| [KCSA-CVE-2020-2024](KCSA/KCSA-CVE-2020-2024.md) | improper link resolution vulnerability |
-| [KCSA-CVE-2020-2025](KCSA/KCSA-CVE-2020-2025.md) | Cloud Hypervisor guest image persists vulnerability |
-| [KCSA-CVE-2019-5736](KCSA/KCSA-CVE-2019-5736.md) | runc container breakout      |
+| KCSA                                               | Description                  |
+| -------------------------------------------------- | ---------------------------- |
+| [KCSA-CVE-2020-28914](KCSA/KCSA-CVE-2020-28914.md) | Improper file permissions for read-only volumes |
+| [KCSA-CVE-2020-2023](KCSA/KCSA-CVE-2020-2023.md)   | Execution with Unnecessary Privileges |
+| [KCSA-CVE-2020-2026](KCSA/KCSA-CVE-2020-2026.md)   | Improper Link Resolution Before File Access |
+| [KCSA-CVE-2020-2024](KCSA/KCSA-CVE-2020-2024.md)   | improper link resolution vulnerability |
+| [KCSA-CVE-2020-2025](KCSA/KCSA-CVE-2020-2025.md)   | Cloud Hypervisor guest image persists vulnerability |
+| [KCSA-CVE-2019-5736](KCSA/KCSA-CVE-2019-5736.md)   | runc container breakout      |