oss-sec mailing list archives
[ANNOUNCE] Security regression in Kubernetes kubelet v1.13.6 and v1.14.2 only - CVE-2019-11245
From: Brandon Philips <bphilips () redhat com>
Date: Thu, 30 May 2019 14:57:25 -0700
Hello Kubernetes Community- A security-related issue was discovered in kubelet versions v1.13.6 and v1.14.2. The issue is medium severity and can be mitigated with a pod spec configuration change OR by *****downgrading*** kubelets to v1.13.5 or v1.14.1. ***Vulnerability Details*** When a container runs for the first time on a node, it correctly respects the UID set by the container image (e.g. USER in a Dockerfile). However, on the second run, the container will run as UID 0 (aka root) which can be an undesired escalated privilege. Pods that specify an explicit runAsUser are unaffected and continue to work properly. PodSecurityPolicies that force a runAsUser setting are also unaffected and continue to work properly. Pods that specify mustRunAsNonRoot:true will refuse to start the container as uid 0, which can affect availability. This issue is filed as CVE-2019-11245. See https://github.com/kubernetes/kubernetes/issues/78308 for more details. ***Am I vulnerable?*** Run this to print out all nodes and their kubelet version: kubectl get nodes -o=jsonpath='{range .items[*]}{.status.nodeInfo.machineID}{"\t"}{.status.nodeInfo.kubeletVersion}{"\n"}{end}' If the output lists Kubelet versions listed below you are running a vulnerable version: - v1.13.6 - v1.14.2 ***How do I mitigate the vulnerability?*** There are two potential mitigations to this issue: - Downgrade to kubelet v1.13.5 or v1.14.1 as instructed by your Kubernetes distribution. - Set RunAsUser on all pods in the cluster that should not run as root. This is a Security Context feature; the docs are at https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ***How do I upgrade?*** An upgrade addressing this issue is not yet available. But, will appear in v1.13.7 and v1.14.3 ASAP and will be announced here. ***Thank you*** Thank you to the <https://github.com/kubernetes/kubernetes/pull/78178> many <https://github.com/kubernetes/kubernetes/issues/78308> reporters <https://github.com/rancher/k3s/issues/511>, and Tim Pepper as release manager for the coordination in making this announcement. Thank You, Brandon on behalf of the Kubernetes Product Security Committee
Current thread:
- [ANNOUNCE] Security regression in Kubernetes kubelet v1.13.6 and v1.14.2 only - CVE-2019-11245 Brandon Philips (May 31)