Bug 1703218 (CVE-2019-11243)

Summary: CVE-2019-11243 kubernetes: Authentication information exposure in rest.AnonymousClientConfig()
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: admiller, ahardin, bleanhar, bmontgom, ccoleman, dedgar, eparis, go-sig, hchiramm, ichavero, jbrooks, jburrell, jcajka, jchaloup, jgoulding, jmulligan, jokerman, kramdoss, madam, mchappel, nhorman, nstielau, rhs-bugs, sankarshan, sisharma, sponnaga, ssaha, storage-qa-internal, strigazi, tdawson, tstclair, vbatts, vbellur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kubernetes 1.12.5, kubernetes 1.13.1, kubernetes 1.14.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:54:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1703219, 1703220, 1703223, 1703224, 1714287    
Bug Blocks: 1703222    

Description Pedro Sampaio 2019-04-25 20:14:15 UTC 
In Kubernetes v1.12.0-v1.12.4 and v1.13.0, the rest.AnonymousClientConfig() method returns a copy of the provided config, with credentials removed (bearer token, username/password, and client certificate/key data). In the affected versions, rest.AnonymousClientConfig() did not effectively clear service account credentials loaded using rest.InClusterConfig()

Upstream issue:

https://github.com/kubernetes/kubernetes/issues/76797
Comment 1 Pedro Sampaio 2019-04-25 20:14:44 UTC 
Created containernetworking-cni tracking bugs for this issue:

Affects: epel-7 [bug 1703224]


Created kubernetes tracking bugs for this issue:

Affects: fedora-all [bug 1703220]


Created kubernetes:1.1/kubernetes tracking bugs for this issue:

Affects: fedora-29 [bug 1703219]


Created origin tracking bugs for this issue:

Affects: fedora-all [bug 1703223]
Comment 6 Hardik Vyas 2019-05-22 09:40:44 UTC 
Upstream Commit:
https://github.com/kubernetes/kubernetes/pull/71713/commits/dba85e58debadfcb66aff2b68ba8bcc2eafeac2d
Comment 7 Hardik Vyas 2019-05-22 09:45:12 UTC 
Gluster ships very old kubernetes version v1.5.5 which is not affected by this vulnerability.
Comment 8 Hardik Vyas 2019-05-22 09:45:14 UTC 
Statement:

This issue does not affect the version of Kubernetes(embedded in heketi) shipped with Red Hat Gluster Storage 3 as it does not contain the vulnerable functionality.
Comment 9 Pedro Sampaio 2019-05-27 14:57:18 UTC 
Created kubernetes:openshift-3.10/origin tracking bugs for this issue:

Affects: fedora-29 [bug 1714287]