Bug 1703209 (CVE-2019-11244)
| Summary: | CVE-2019-11244 kubernetes: Schema info written with world-writeable permissions when cached | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | admiller, ahardin, aos-bugs, bleanhar, bmontgom, ccoleman, dedgar, dominik.mierzejewski, eparis, erjones, go-sig, hchiramm, ichavero, jbrooks, jburrell, jcajka, jchaloup, jgoulding, jmulligan, jokerman, kramdoss, madam, maszulik, mchappel, mfojtik, nhorman, nstielau, rhs-bugs, sisharma, sponnaga, storage-qa-internal, strigazi, tdawson, tstclair, vbatts, vbellur |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A flaw was found in kubectl that leaves http-cache files with read/write permissions for any user. In conjunction with a non-default value for --cache-dir, this may lead to the cache content being placed in a location accessible to other users on the system.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-11-21 13:04:49 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1703210, 1703211, 1703212, 1703213, 1703214, 1718484, 1718485, 1718486, 1718487, 1760269, 1771837 | ||
| Bug Blocks: | 1703215 | ||
|
Description
Pedro Sampaio
2019-04-25 20:03:40 UTC
Created containernetworking-cni tracking bugs for this issue: Affects: epel-7 [bug 1703214] Created kubernetes tracking bugs for this issue: Affects: fedora-all [bug 1703211] Created kubernetes:1.1/kubernetes tracking bugs for this issue: Affects: fedora-29 [bug 1703210] Created kubernetes:openshift-3.10/origin tracking bugs for this issue: Affects: fedora-29 [bug 1703212] Created origin tracking bugs for this issue: Affects: fedora-all [bug 1703213] Upstream Commit: https://github.com/kubernetes/kubernetes/pull/77874/commits/f228ae3364729caed59087e23c42868454bc3ff4 Gluster ships very old kubernetes version v1.5.5 which is not affected by this vulnerability. Statement: OpenShift Container Platform includes kubectl. OCP 3.9 and later include this same flaw. This issue does not affect the version of Kubernetes (embedded in heketi) shipped with Red Hat Gluster Storage 3 as it does not contain the vulnerable functionality. Mitigation: Do not use --cache-dir, or ensure that --cache-dir is not set to a location that other users have access to. External References: https://github.com/kubernetes/kubernetes/issues/76676 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.1 Via RHSA-2019:3942 https://access.redhat.com/errata/RHSA-2019:3942 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-11244 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2020:0020 https://access.redhat.com/errata/RHSA-2020:0020 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.1 Via RHSA-2020:0074 https://access.redhat.com/errata/RHSA-2020:0074 |