Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2019-11243: v1.12.0-v1.12.4, v1.13.0: rest.AnonymousClientConfig() does not remove the serviceaccount credentials from config created by rest.InClusterConfig() #76797

Closed
liggitt opened this issue Apr 18, 2019 · 2 comments
Assignees
Labels
area/security kind/bug Categorizes issue or PR as related to a bug. official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/auth Categorizes an issue or PR as relevant to SIG Auth.

Comments

@liggitt
Copy link
Member

liggitt commented Apr 18, 2019

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

The rest.AnonymousClientConfig() method returns a copy of the provided config, with credentials removed (bearer token, username/password, and client certificate/key data).

In the following versions, rest.AnonymousClientConfig() did not effectively clear service account credentials loaded using rest.InClusterConfig():

  • v1.12.0-v1.12.4
  • v1.13.0

What is the impact?

  • k8s.io/client-go users that use the rest.AnonymousClientConfig() method directly with client config loaded with rest.InClusterConfig() receive back a client config which can still send the loaded service account token with requests.

How was the issue fixed?

How do I resolve the issue?

  • Upgrade k8s.io/client-go to kubernetes-1.12.5, kubernetes-1.13.1, kubernetes-1.14.0, or higher
  • or manually clear the config.WrapTransport and config.Transport fields in addition to calling rest.AnonymousClientConfig()

Thanks to Oleg Bulatov of Red Hat for reporting this issue.

/area security
/kind bug
/sig auth
/sig api-machinery
/assign
/close

@k8s-ci-robot
Copy link
Contributor

@liggitt: Closing this issue.

In response to this:

The rest.AnonymousClientConfig() method return a copy of the provided config, with credentials removed (bearer token, username/password, and client certificate/key data).

In the following versions, rest.AnonymousClientConfig() did not effectively clear service account credentials loaded using rest.InClusterConfig():

  • v1.12.0-v1.12.4
  • v1.13.0

What is the impact?

  • k8s.io/client-go users that use the rest.AnonymousClientConfig() method directly with client config loaded with rest.InClusterConfig() receive back a client config which can still send the loaded service account token with requests.

How was the issue fixed?

How do I resolve the issue?

  • Upgrade k8s.io/client-go to kubernetes-1.12.5, kubernetes-1.13.1, kubernetes-1.14.0, or higher
  • or manually clear the config.WrapTransport and config.Transport fields in addition to calling rest.AnonymousClientConfig()

Thanks to Oleg Bulatov for reporting this issue.

/area security
/kind bug
/sig auth
/sig api-machinery
/assign
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added kind/bug Categorizes issue or PR as related to a bug. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. labels Apr 18, 2019
@PushkarJ
Copy link
Member

/label official-cve-feed

(Related to kubernetes/sig-security#1)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/security kind/bug Categorizes issue or PR as related to a bug. official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/auth Categorizes an issue or PR as relevant to SIG Auth.
Projects
None yet
Development

No branches or pull requests

3 participants