Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2019-11248: /debug/pprof exposed on kubelet's healthz port #81023

Closed
liggitt opened this issue Aug 6, 2019 · 3 comments · Fixed by #78313
Closed

CVE-2019-11248: /debug/pprof exposed on kubelet's healthz port #81023

liggitt opened this issue Aug 6, 2019 · 3 comments · Fixed by #78313
Labels
area/security kind/bug Categorizes issue or PR as related to a bug. needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC)

Comments

@liggitt
Copy link
Member

liggitt commented Aug 6, 2019

The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port. Versions prior to 1.15.0, 1.14.4, 1.13.8, and 1.12.10 are affected. The issue is of medium severity, but not exposed by the default configuration. If you are exposed we recommend upgrading to at least one of the versions listed.

Am I vulnerable?
By default, the Kubelet exposes unauthenticated healthz endpoints on port :10248, but only over localhost. If your nodes are using a non-localhost healthzBindAddress (--health-bind-address), and an older version, you may be vulnerable. If your nodes are using the default localhost healthzBindAddress, it is only exposed to pods or processes running in the host network namespace.

Run kubectl get nodes to see whether nodes are running a vulnerable version.

Run kubectl get --raw /api/v1/nodes/${NODE_NAME}/proxy/configz to check whether the "healthzBindAddress" is non-local.

How do I mitigate the vulnerability?

  • Upgrade to a patched version (1.15.0+, 1.14.4+, 1.13.8+, or 1.12.10+)
  • or, update node configurations to set the "healthzBindAddress" to "127.0.0.1".

#79184 fixed in 1.12.10
#79183 fixed in 1.13.8
#79182 fixed in 1.14.4
#78313 fixed in 1.15.0

Vulnerability Details
The go pprof endpoint is exposed over the Kubelet's healthz port. This debugging endpoint can potentially leak sensitive information such as internal Kubelet memory addresses and configuration, or for limited denial of service.

Thanks to Jordan Zebor of F5 Networks for reporting this problem.

/area security
/close
@liggitt liggitt added the kind/bug Categorizes issue or PR as related to a bug. label Aug 6, 2019
@k8s-ci-robot
Copy link
Contributor

@liggitt: Closing this issue.

In response to this:

The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port. Versions prior to 1.15.0, 1.14.4, 1.13.8, and 1.12.10 are affected. The issue is of medium severity, but not exposed by the default configuration. If you are exposed we recommend upgrading to at least one of the versions listed.

Am I vulnerable?
By default, the Kubelet exposes unauthenticated healthz endpoints on port :10248, but only over localhost. If your nodes are using a non-localhost healthzBindAddress (--health-bind-address), and an older version, you may be vulnerable. If your nodes are using the default localhost healthzBindAddress, it is only exposed to pods or processes running in the host network namespace.

Run kubectl get nodes to see whether nodes are running a vulnerable version.

Run kubectl get --raw /api/v1/nodes/${NODE_NAME}/proxy/configz to check whether the "healthzBindAddress" is non-local.

How do I mitigate the vulnerability?

  • Upgrade to a patched version (1.15.0+, 1.14.4+, 1.13.8+, or 1.12.10+)
  • or, update node configurations to set the "healthzBindAddress" to "127.0.0.1".

#79184 fixed in 1.12.10
#79183 fixed in 1.13.8
#79182 fixed in 1.14.4
#78313 fixed in 1.15.0

Vulnerability Details
The go pprof endpoint is exposed over the Kubelet's healthz port. This debugging endpoint can potentially leak sensitive information such as internal Kubelet memory addresses and configuration, or for limited denial of service.

Thanks to Jordan Zebor of F5 Networks for reporting this problem.

/area security
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. label Aug 6, 2019
@k8s-ci-robot
Copy link
Contributor

@liggitt: There are no sig labels on this issue. Please add a sig label by either:

  1. mentioning a sig: @kubernetes/sig-<group-name>-<group-suffix>
    e.g., @kubernetes/sig-contributor-experience-<group-suffix> to notify the contributor experience sig, OR

  2. specifying the label manually: /sig <group-name>
    e.g., /sig scalability to apply the sig/scalability label

Note: Method 1 will trigger an email to the group. See the group list.
The <group-suffix> in method 1 has to be replaced with one of these: bugs, feature-requests, pr-reviews, test-failures, proposals.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

This was referenced Aug 6, 2019
Merged
Merged
Merged
Merged
@danwinship danwinship mentioned this issue Aug 13, 2019
Closed
@riptl riptl mentioned this issue Aug 27, 2021
Closed
@PushkarJ
Copy link
Member

/label official-cve-feed

(Related to kubernetes/sig-security#1)

@k8s-ci-robot k8s-ci-robot added the official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) label May 16, 2022
@k8s-sec-alert k8s-sec-alert mentioned this issue Sep 18, 2022
Open
zshi-redhat added a commit to zshi-redhat/microshift that referenced this issue Nov 28, 2022
@zshi-redhat
Remove pprof port reference in CNI doc
6cd9ba9 
pprof is exposed over kubelet unauthenticated healthz endpoint on
port :10248 to localhost only[1], removing MicroShift specific pprof
port document.

[1]: kubernetes/kubernetes#81023
@zshi-redhat zshi-redhat mentioned this issue Nov 28, 2022
Merged
@tnozicka tnozicka mentioned this issue Oct 11, 2023
Merged
This was referenced May 7, 2024
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/security kind/bug Categorizes issue or PR as related to a bug. needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC)
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

CVE-2019-11248: /debug/pprof exposed on kubelet's healthz port tallclair/kubernetes
3 participants
@liggitt @PushkarJ @k8s-ci-robot