-
Notifications
You must be signed in to change notification settings - Fork 39k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2019-11247: API server allows access to custom resources via wrong scope #80983
Comments
|
/sig cli |
|
/sig auth |
|
Fixed in #80750 and associated cherry-picks. |
|
/sig api-machinery |
|
/remove-sig cli |
|
Is there a reason this isn't patched in 1.12 and below? We're running k8s with kops, which currently only supports 1.13 in beta and 1.14 in alpha, which means we haven't upgraded to these versions yet. @joelsmith |
kops 1.13.0 was released on 8/2 |
|
Unfortunately for GCP customers, new GKE clusters still default to 1.12. |
|
@kbruner GKE customers will have patched versions to upgrade to, please see this bulletin: |
|
/label official-cve-feed (Related to kubernetes/sig-security#1) |
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
The API server mistakenly allows access to a cluster-scoped custom resource if the request is made as if the resource were namespaced. Authorizations for the resource accessed in this manner are enforced using roles and role bindings within the namespace, meaning that a user with access only to a resource in one namespace could create, view update or delete the cluster-scoped resource (according to their namespace role privileges).
Vulnerable versions:
Kubernetes 1.7.x-1.12.x
Kubernetes 1.13.0-1.13.8
Kubernetes 1.14.0-1.14.4
Kubernetes 1.15.0-1.15.1
Vulnerable configurations:
All clusters that have rolebindings to roles and clusterroles that include authorization rules for cluster-scoped custom resources.
Vulnerability impact:
A user with access to custom resources in a single namespace can access custom resources with cluster scope.
Mitigations prior to upgrading:
To mitigate, remove authorization rules that grant access to cluster-scoped resources within namespaces. For example, RBAC roles and clusterroles intended to be referenced by namespaced rolebindings should not grant access to
resources:[*], apiGroups:[*], or grant access to cluster-scoped custom resources.Fixed versions:
Fixed in v1.13.9 by #80852
Fixed in v1.14.5 by #80851
Fixed in v1.15.2 by #80850
Fixed in master by #80750
Fix impact:
Permission to the correct scope will be required to access cluster-scoped custom resources.
Acknowledgements:
This issue was discovered by Prabu Shyam of Verizon Media. Thanks to Stefan Schimanski for the fix, to David Eads for the fix review, and to the release managers for creating the security releases.
The text was updated successfully, but these errors were encountered: