New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2019-11248: /debug/pprof exposed on kubelet's healthz port #81023
Comments
@liggitt: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@liggitt: There are no sig labels on this issue. Please add a sig label by either:
Note: Method 1 will trigger an email to the group. See the group list. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/label official-cve-feed (Related to kubernetes/sig-security#1) |
pprof is exposed over kubelet unauthenticated healthz endpoint on port :10248 to localhost only[1], removing MicroShift specific pprof port document. [1]: kubernetes/kubernetes#81023
The debugging endpoint
/debug/pprof
is exposed over the unauthenticated Kubelet healthz port. Versions prior to 1.15.0, 1.14.4, 1.13.8, and 1.12.10 are affected. The issue is of medium severity, but not exposed by the default configuration. If you are exposed we recommend upgrading to at least one of the versions listed.Am I vulnerable?
By default, the Kubelet exposes unauthenticated healthz endpoints on port :10248, but only over localhost. If your nodes are using a non-localhost healthzBindAddress (--health-bind-address), and an older version, you may be vulnerable. If your nodes are using the default localhost healthzBindAddress, it is only exposed to pods or processes running in the host network namespace.
Run
kubectl get nodes
to see whether nodes are running a vulnerable version.Run
kubectl get --raw /api/v1/nodes/${NODE_NAME}/proxy/configz
to check whether the "healthzBindAddress" is non-local.How do I mitigate the vulnerability?
#79184 fixed in 1.12.10
#79183 fixed in 1.13.8
#79182 fixed in 1.14.4
#78313 fixed in 1.15.0
Vulnerability Details
The
go pprof
endpoint is exposed over the Kubelet's healthz port. This debugging endpoint can potentially leak sensitive information such as internal Kubelet memory addresses and configuration, or for limited denial of service.Thanks to Jordan Zebor of F5 Networks for reporting this problem.
/area security
/close
The text was updated successfully, but these errors were encountered: