Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2019-11247: API server allows access to custom resources via wrong scope #80983

Closed
joelsmith opened this issue Aug 5, 2019 · 9 comments

Comments

@joelsmith
Copy link
Contributor

commented Aug 5, 2019

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

The API server mistakenly allows access to a cluster-scoped custom resource if the request is made as if the resource were namespaced. Authorizations for the resource accessed in this manner are enforced using roles and role bindings within the namespace, meaning that a user with access only to a resource in one namespace could create, view update or delete the cluster-scoped resource (according to their namespace role privileges).

Vulnerable versions:
Kubernetes 1.7.x-1.12.x
Kubernetes 1.13.0-1.13.8
Kubernetes 1.14.0-1.14.4
Kubernetes 1.15.0-1.15.1

Vulnerable configurations:
All clusters that have rolebindings to roles and clusterroles that include authorization rules for cluster-scoped custom resources.

Vulnerability impact:
A user with access to custom resources in a single namespace can access custom resources with cluster scope.

Mitigations prior to upgrading:
To mitigate, remove authorization rules that grant access to cluster-scoped resources within namespaces. For example, RBAC roles and clusterroles intended to be referenced by namespaced rolebindings should not grant access to resources:[*], apiGroups:[*], or grant access to cluster-scoped custom resources.

Fixed versions:
Fixed in v1.13.9 by #80852
Fixed in v1.14.5 by #80851
Fixed in v1.15.2 by #80850
Fixed in master by #80750

Fix impact:
Permission to the correct scope will be required to access cluster-scoped custom resources.

Acknowledgements:
This issue was discovered by Prabu Shyam of Verizon Media. Thanks to Stefan Schimanski for the fix, to David Eads for the fix review, and to the release managers for creating the security releases.

@joelsmith

This comment has been minimized.

Copy link
Contributor Author

commented Aug 5, 2019

/sig cli

@k8s-ci-robot k8s-ci-robot added sig/cli and removed needs-sig labels Aug 5, 2019

@joelsmith

This comment has been minimized.

Copy link
Contributor Author

commented Aug 5, 2019

/sig auth
I added sig/cli by mistake

@joelsmith joelsmith changed the title WIP Placeholder Issue #1 CVE-2019-11247: API server allows access to custom resources via wrong scope Aug 5, 2019

@joelsmith

This comment has been minimized.

Copy link
Contributor Author

commented Aug 5, 2019

Fixed in #80750 and associated cherry-picks.

@joelsmith joelsmith closed this Aug 5, 2019

@joelsmith

This comment has been minimized.

Copy link
Contributor Author

commented Aug 5, 2019

/sig api-machinery

@hoegaarden

This comment has been minimized.

Copy link
Member

commented Aug 5, 2019

/remove-sig cli

@k8s-ci-robot k8s-ci-robot removed the sig/cli label Aug 5, 2019

@ericgriffis

This comment has been minimized.

Copy link

commented Aug 5, 2019

Is there a reason this isn't patched in 1.12 and below? We're running k8s with kops, which currently only supports 1.13 in beta and 1.14 in alpha, which means we haven't upgraded to these versions yet. @joelsmith

@mjhuber

This comment has been minimized.

Copy link

commented Aug 5, 2019

Is there a reason this isn't patched in 1.12 and below? We're running k8s with kops, which currently only supports 1.13 in beta and 1.14 in alpha, which means we haven't upgraded to these versions yet. @joelsmith

kops 1.13.0 was released on 8/2

@kbruner

This comment has been minimized.

Copy link

commented Aug 5, 2019

Unfortunately for GCP customers, new GKE clusters still default to 1.12.

@destijl

This comment has been minimized.

Copy link
Member

commented Aug 7, 2019

@kbruner GKE customers will have patched versions to upgrade to, please see this bulletin:
https://cloud.google.com/kubernetes-engine/docs/security-bulletins#august-05-2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
7 participants
You can’t perform that action at this time.