Re: [ANNOUNCE] Security regression in Kubernetes kubelet v1.13.6 and v1.14.2 only - CVE-2019-11245

[Tim Pepper <tpepper () vmware com>]

Just in case anybody missed it explicitly…v1.13.7 and v1.14.3 were released yesterday, including the change for this 
CVE.

--
Tim Pepper
Orchestration & Containers Lead
VMware Open Source Technology Center

From: <kubernetes-dev () googlegroups com> on behalf of Brandon Philips <bphilips () redhat com>
Date: Thursday, May 30, 2019 at 2:57 PM
To: Kubernetes developer/contributor discussion <kubernetes-dev () googlegroups com>, "kubernetes-security-announce () 
googlegroups com" <kubernetes-security-announce () googlegroups com>, kubernetes-security-discuss 
<kubernetes-security-discuss () googlegroups com>, "oss-security () lists openwall com" <oss-security () lists openwall 
com>, "kubernetes-distributors-announce () googlegroups com" <kubernetes-distributors-announce () googlegroups com>
Subject: [ANNOUNCE] Security regression in Kubernetes kubelet v1.13.6 and v1.14.2 only - CVE-2019-11245


Hello Kubernetes Community-


A security-related issue was discovered in kubelet versions v1.13.6 and v1.14.2. The issue is medium severity and can 
be mitigated with a pod spec configuration change OR by **downgrading** kubelets to v1.13.5 or v1.14.1.


**Vulnerability Details**


When a container runs for the first time on a node, it correctly respects the UID set by the container image (e.g. USER 
in a Dockerfile). However, on the second run, the container will run as UID 0 (aka root) which can be an undesired 
escalated privilege.


Pods that specify an explicit runAsUser are unaffected and continue to work properly.

PodSecurityPolicies that force a runAsUser setting are also unaffected and continue to work properly.

Pods that specify mustRunAsNonRoot:true will refuse to start the container as uid 0, which can affect availability.

This issue is filed as CVE-2019-11245. See 
https://github.com/kubernetes/kubernetes/issues/78308<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fkubernetes%2Fkubernetes%2Fissues%2F78308&data=02%7C01%7Ctpepper%40vmware.com%7C4656abfd3c4d492bb60108d6e549d643%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C636948502634407306&sdata=miB3xe0VtlfnmX%2BsX7%2BfPSH3dtmPiNnFMGtTD9MMvuY%3D&reserved=0>
 for more details.


**Am I vulnerable?**


Run this to print out all nodes and their kubelet version:



kubectl get nodes -o=jsonpath='{range 
.items[*]}{.status.nodeInfo.machineID}{"\t"}{.status.nodeInfo.kubeletVersion}{"\n"}{end}'


If the output lists Kubelet versions listed below you are running a vulnerable version:

  *
  *   v1.13.6
  *
  *
  *
  *   v1.14.2
  *


**How do I mitigate the vulnerability?**


There are two potential mitigations to this issue:


  *
  *   Downgrade to kubelet v1.13.5 or v1.14.1
  *   as instructed by your Kubernetes distribution.
  *
  *
  *   Set RunAsUser on all pods in the cluster
  *   that should not run as root. This is a Security Context feature; the docs are at
  *   
https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fkubernetes.io%2Fdocs%2Ftasks%2Fconfigure-pod-container%2Fsecurity-context%2F%23set-the-security-context-for-a-pod&data=02%7C01%7Ctpepper%40vmware.com%7C4656abfd3c4d492bb60108d6e549d643%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C636948502634407306&sdata=01A5f5Nzkf1dJVqJDvh4SZPA%2B%2FsF4MxYDQsJaifF5pA%3D&reserved=0>
  *


**How do I upgrade?**


An upgrade addressing this issue is not yet available. But, will appear in v1.13.7 and v1.14.3 ASAP and will be 
announced here.


**Thank you**


Thank you to 
the<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fkubernetes%2Fkubernetes%2Fpull%2F78178&data=02%7C01%7Ctpepper%40vmware.com%7C4656abfd3c4d492bb60108d6e549d643%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C636948502634417303&sdata=q%2FEhtXjiCYE6kYa%2Fjy%2B83MvezfBPR38P%2BrwMZRNEEZA%3D&reserved=0>
 
many<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fkubernetes%2Fkubernetes%2Fissues%2F78308&data=02%7C01%7Ctpepper%40vmware.com%7C4656abfd3c4d492bb60108d6e549d643%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C636948502634417303&sdata=bKKBm6g8tY9V%2FQZOHvd1ctuUCRg%2B0kQo65b42FfjbFA%3D&reserved=0>
 
reporters<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Francher%2Fk3s%2Fissues%2F511&data=02%7C01%7Ctpepper%40vmware.com%7C4656abfd3c4d492bb60108d6e549d643%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C636948502634427294&sdata=SC1%2FvqrNPi2HQEHCfwRdJicUQlKDAmwv7W41R921FlI%3D&reserved=0>,
 and Tim Pepper as release manager for the coordination in making this announcement.


Thank You,

Brandon on behalf of the Kubernetes Product Security Committee
--
You received this message because you are subscribed to the Google Groups "Kubernetes developer/contributor discussion" 
group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-dev+unsubscribe () 
googlegroups com<mailto:kubernetes-dev+unsubscribe () googlegroups com>.
To post to this group, send email to kubernetes-dev () googlegroups com<mailto:kubernetes-dev () googlegroups com>.
Visit this group at 
https://groups.google.com/group/kubernetes-dev<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fgroup%2Fkubernetes-dev&data=02%7C01%7Ctpepper%40vmware.com%7C4656abfd3c4d492bb60108d6e549d643%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C636948502634427294&sdata=SlZBCWaH6iykDnUtkh%2BRSFk68G5%2BDQLJ%2Bdqodzbe%2Bro%3D&reserved=0>.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/kubernetes-dev/CAHHNuYcXG6rqgA%2By3efW8yb5Kbd9CgJq_MfgKz8cUgp4AqbXRg%40mail.gmail.com<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fkubernetes-dev%2FCAHHNuYcXG6rqgA%252By3efW8yb5Kbd9CgJq_MfgKz8cUgp4AqbXRg%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=02%7C01%7Ctpepper%40vmware.com%7C4656abfd3c4d492bb60108d6e549d643%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C636948502634437289&sdata=2Z6jQYx32El%2BfezZF1HSMExpgu%2FJ1b4UiJMjrySfS6o%3D&reserved=0>.
For more options, visit 
https://groups.google.com/d/optout<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Foptout&data=02%7C01%7Ctpepper%40vmware.com%7C4656abfd3c4d492bb60108d6e549d643%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C636948502634437289&sdata=Qu0%2F47BBRdCcjNaT1v5HKMnII1R3xqxQXNH7Lltdlk0%3D&reserved=0>.