Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2019-11247: API server allows access to custom resources via wrong scope #80983

Closed
joelsmith opened this issue Aug 5, 2019 · 10 comments
Closed
Labels
area/security kind/bug Categorizes issue or PR as related to a bug. official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/auth Categorizes an issue or PR as relevant to SIG Auth.

Comments

@joelsmith
Copy link
Contributor

joelsmith commented Aug 5, 2019

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

The API server mistakenly allows access to a cluster-scoped custom resource if the request is made as if the resource were namespaced. Authorizations for the resource accessed in this manner are enforced using roles and role bindings within the namespace, meaning that a user with access only to a resource in one namespace could create, view update or delete the cluster-scoped resource (according to their namespace role privileges).

Vulnerable versions:
Kubernetes 1.7.x-1.12.x
Kubernetes 1.13.0-1.13.8
Kubernetes 1.14.0-1.14.4
Kubernetes 1.15.0-1.15.1

Vulnerable configurations:
All clusters that have rolebindings to roles and clusterroles that include authorization rules for cluster-scoped custom resources.

Vulnerability impact:
A user with access to custom resources in a single namespace can access custom resources with cluster scope.

Mitigations prior to upgrading:
To mitigate, remove authorization rules that grant access to cluster-scoped resources within namespaces. For example, RBAC roles and clusterroles intended to be referenced by namespaced rolebindings should not grant access to resources:[*], apiGroups:[*], or grant access to cluster-scoped custom resources.

Fixed versions:
Fixed in v1.13.9 by #80852
Fixed in v1.14.5 by #80851
Fixed in v1.15.2 by #80850
Fixed in master by #80750

Fix impact:
Permission to the correct scope will be required to access cluster-scoped custom resources.

Acknowledgements:
This issue was discovered by Prabu Shyam of Verizon Media. Thanks to Stefan Schimanski for the fix, to David Eads for the fix review, and to the release managers for creating the security releases.

@joelsmith joelsmith added the kind/bug Categorizes issue or PR as related to a bug. label Aug 5, 2019
@k8s-ci-robot k8s-ci-robot added area/security needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Aug 5, 2019
@joelsmith
Copy link
Contributor Author

/sig cli

@k8s-ci-robot k8s-ci-robot added sig/cli Categorizes an issue or PR as relevant to SIG CLI. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Aug 5, 2019
@joelsmith
Copy link
Contributor Author

/sig auth
I added sig/cli by mistake

@k8s-ci-robot k8s-ci-robot added the sig/auth Categorizes an issue or PR as relevant to SIG Auth. label Aug 5, 2019
@joelsmith joelsmith changed the title WIP Placeholder Issue #1 CVE-2019-11247: API server allows access to custom resources via wrong scope Aug 5, 2019
@joelsmith
Copy link
Contributor Author

Fixed in #80750 and associated cherry-picks.

@joelsmith
Copy link
Contributor Author

/sig api-machinery

@k8s-ci-robot k8s-ci-robot added the sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. label Aug 5, 2019
@hoegaarden
Copy link
Contributor

/remove-sig cli

@k8s-ci-robot k8s-ci-robot removed the sig/cli Categorizes an issue or PR as relevant to SIG CLI. label Aug 5, 2019
@ericgriffis
Copy link

Is there a reason this isn't patched in 1.12 and below? We're running k8s with kops, which currently only supports 1.13 in beta and 1.14 in alpha, which means we haven't upgraded to these versions yet. @joelsmith

@mjhuber
Copy link

mjhuber commented Aug 5, 2019

Is there a reason this isn't patched in 1.12 and below? We're running k8s with kops, which currently only supports 1.13 in beta and 1.14 in alpha, which means we haven't upgraded to these versions yet. @joelsmith

kops 1.13.0 was released on 8/2

@kbruner
Copy link

kbruner commented Aug 5, 2019

Unfortunately for GCP customers, new GKE clusters still default to 1.12.

@destijl
Copy link
Member

destijl commented Aug 7, 2019

@kbruner GKE customers will have patched versions to upgrade to, please see this bulletin:
https://cloud.google.com/kubernetes-engine/docs/security-bulletins#august-05-2019

@PushkarJ
Copy link
Member

/label official-cve-feed

(Related to kubernetes/sig-security#1)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/security kind/bug Categorizes issue or PR as related to a bug. official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/auth Categorizes an issue or PR as relevant to SIG Auth.
Projects
None yet
Development

No branches or pull requests

8 participants