CVE-2019-11251: kubectl cp symlink vulnerability #87773
Labels
area/security
kind/bug
Categorizes issue or PR as related to a bug.
needs-sig
Indicates an issue or PR lacks a `sig/foo` label and requires one.
official-cve-feed
Issues or PRs related to CVEs officially announced by Security Response Committee (SRC)
sig/cli
Categorizes an issue or PR as relevant to SIG CLI.
Milestone
A security issue was discovered in kubectl versions v1.13.10, v1.14.6, and v1.15.3. The issue is of a medium severity and upgrading of kubectl is encouraged to fix the vulnerability.
Am I vulnerable?
Run kubectl version --client and if it returns versions v1.13.10, v1.14.6, and v1.15.3, you are running a vulnerable version.
How do I upgrade?
Follow installation instructions here
Vulnerability Details
The details for this vulnerability are very similar to CVE-2019-1002101 and CVE-2019-11246.
A vulnerability has been discovered in kubectl cp that allows a combination of two symlinks to copy a file outside of its destination directory. This could be used to allow an attacker to place a nefarious file using a symlink, outside of the destination tree.
This issue is filed as CVE-2019-11251.
Two fixes were formulated, one fix to remove symlink support going forwards and a fix with cherry picks made to ensure backwards compatibility.
See #82143 for the primary fix in v1.16.0 which removes the support of symlinks in kubectl cp. After version 1.16.0, symlink support with kubectl cp is removed, it is recommended instead to use a combination of exec+tar.
A second fix has been made to 1.15.4 and backported to 1.14.7 and 1.13.11. This changes the kubectl cp un-tar symlink logic, by unpacking the symlinks after all the regular files have been unpacked. This then guarantees that a file can’t be written through a symlink.
See #82384 for the fix to version 1.15.4. The following Cherry picks were made from this fix to earlier versions of v1.14.7 and v1.13.11:
See #82502 for version 1.14.7
See #82503 for version 1.13.11
Thank you to Erik Sjölund (@eriksjolund) for discovering this issue, Tim Allclair and Maciej Szulik for both fixes and the patch release managers for including the fix in their releases.
/close
The text was updated successfully, but these errors were encountered: