oss-sec mailing list archives
Re: [ANNOUNCE] Security regression in Kubernetes kubelet v1.13.6 and v1.14.2 only - CVE-2019-11245
From: Tim Pepper <tpepper () vmware com>
Date: Fri, 7 Jun 2019 23:31:51 +0000
Just in case anybody missed it explicitly…v1.13.7 and v1.14.3 were released yesterday, including the change for this CVE. -- Tim Pepper Orchestration & Containers Lead VMware Open Source Technology Center From: <kubernetes-dev () googlegroups com> on behalf of Brandon Philips <bphilips () redhat com> Date: Thursday, May 30, 2019 at 2:57 PM To: Kubernetes developer/contributor discussion <kubernetes-dev () googlegroups com>, "kubernetes-security-announce () googlegroups com" <kubernetes-security-announce () googlegroups com>, kubernetes-security-discuss <kubernetes-security-discuss () googlegroups com>, "oss-security () lists openwall com" <oss-security () lists openwall com>, "kubernetes-distributors-announce () googlegroups com" <kubernetes-distributors-announce () googlegroups com> Subject: [ANNOUNCE] Security regression in Kubernetes kubelet v1.13.6 and v1.14.2 only - CVE-2019-11245 Hello Kubernetes Community- A security-related issue was discovered in kubelet versions v1.13.6 and v1.14.2. The issue is medium severity and can be mitigated with a pod spec configuration change OR by **downgrading** kubelets to v1.13.5 or v1.14.1. **Vulnerability Details** When a container runs for the first time on a node, it correctly respects the UID set by the container image (e.g. USER in a Dockerfile). However, on the second run, the container will run as UID 0 (aka root) which can be an undesired escalated privilege. Pods that specify an explicit runAsUser are unaffected and continue to work properly. PodSecurityPolicies that force a runAsUser setting are also unaffected and continue to work properly. Pods that specify mustRunAsNonRoot:true will refuse to start the container as uid 0, which can affect availability. This issue is filed as CVE-2019-11245. See https://github.com/kubernetes/kubernetes/issues/78308<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fkubernetes%2Fkubernetes%2Fissues%2F78308&data=02%7C01%7Ctpepper%40vmware.com%7C4656abfd3c4d492bb60108d6e549d643%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C636948502634407306&sdata=miB3xe0VtlfnmX%2BsX7%2BfPSH3dtmPiNnFMGtTD9MMvuY%3D&reserved=0> for more details. **Am I vulnerable?** Run this to print out all nodes and their kubelet version: kubectl get nodes -o=jsonpath='{range .items[*]}{.status.nodeInfo.machineID}{"\t"}{.status.nodeInfo.kubeletVersion}{"\n"}{end}' If the output lists Kubelet versions listed below you are running a vulnerable version: * * v1.13.6 * * * * v1.14.2 * **How do I mitigate the vulnerability?** There are two potential mitigations to this issue: * * Downgrade to kubelet v1.13.5 or v1.14.1 * as instructed by your Kubernetes distribution. * * * Set RunAsUser on all pods in the cluster * that should not run as root. This is a Security Context feature; the docs are at * https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fkubernetes.io%2Fdocs%2Ftasks%2Fconfigure-pod-container%2Fsecurity-context%2F%23set-the-security-context-for-a-pod&data=02%7C01%7Ctpepper%40vmware.com%7C4656abfd3c4d492bb60108d6e549d643%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C636948502634407306&sdata=01A5f5Nzkf1dJVqJDvh4SZPA%2B%2FsF4MxYDQsJaifF5pA%3D&reserved=0> * **How do I upgrade?** An upgrade addressing this issue is not yet available. But, will appear in v1.13.7 and v1.14.3 ASAP and will be announced here. **Thank you** Thank you to the<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fkubernetes%2Fkubernetes%2Fpull%2F78178&data=02%7C01%7Ctpepper%40vmware.com%7C4656abfd3c4d492bb60108d6e549d643%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C636948502634417303&sdata=q%2FEhtXjiCYE6kYa%2Fjy%2B83MvezfBPR38P%2BrwMZRNEEZA%3D&reserved=0> many<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fkubernetes%2Fkubernetes%2Fissues%2F78308&data=02%7C01%7Ctpepper%40vmware.com%7C4656abfd3c4d492bb60108d6e549d643%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C636948502634417303&sdata=bKKBm6g8tY9V%2FQZOHvd1ctuUCRg%2B0kQo65b42FfjbFA%3D&reserved=0> reporters<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Francher%2Fk3s%2Fissues%2F511&data=02%7C01%7Ctpepper%40vmware.com%7C4656abfd3c4d492bb60108d6e549d643%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C636948502634427294&sdata=SC1%2FvqrNPi2HQEHCfwRdJicUQlKDAmwv7W41R921FlI%3D&reserved=0>, and Tim Pepper as release manager for the coordination in making this announcement. Thank You, Brandon on behalf of the Kubernetes Product Security Committee -- You received this message because you are subscribed to the Google Groups "Kubernetes developer/contributor discussion" group. To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-dev+unsubscribe () googlegroups com<mailto:kubernetes-dev+unsubscribe () googlegroups com>. To post to this group, send email to kubernetes-dev () googlegroups com<mailto:kubernetes-dev () googlegroups com>. Visit this group at https://groups.google.com/group/kubernetes-dev<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fgroup%2Fkubernetes-dev&data=02%7C01%7Ctpepper%40vmware.com%7C4656abfd3c4d492bb60108d6e549d643%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C636948502634427294&sdata=SlZBCWaH6iykDnUtkh%2BRSFk68G5%2BDQLJ%2Bdqodzbe%2Bro%3D&reserved=0>. To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-dev/CAHHNuYcXG6rqgA%2By3efW8yb5Kbd9CgJq_MfgKz8cUgp4AqbXRg%40mail.gmail.com<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fkubernetes-dev%2FCAHHNuYcXG6rqgA%252By3efW8yb5Kbd9CgJq_MfgKz8cUgp4AqbXRg%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=02%7C01%7Ctpepper%40vmware.com%7C4656abfd3c4d492bb60108d6e549d643%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C636948502634437289&sdata=2Z6jQYx32El%2BfezZF1HSMExpgu%2FJ1b4UiJMjrySfS6o%3D&reserved=0>. For more options, visit https://groups.google.com/d/optout<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Foptout&data=02%7C01%7Ctpepper%40vmware.com%7C4656abfd3c4d492bb60108d6e549d643%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C636948502634437289&sdata=Qu0%2F47BBRdCcjNaT1v5HKMnII1R3xqxQXNH7Lltdlk0%3D&reserved=0>.
Current thread:
- [ANNOUNCE] Security regression in Kubernetes kubelet v1.13.6 and v1.14.2 only - CVE-2019-11245 Brandon Philips (May 31)
- Re: [ANNOUNCE] Security regression in Kubernetes kubelet v1.13.6 and v1.14.2 only - CVE-2019-11245 Tim Pepper (Jun 08)