Bug 1715726 (CVE-2019-11245)
Summary: | CVE-2019-11245 kubernetes: container uid changes to root after first restart | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Dhananjay Arunesh <darunesh> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | admiller, ahardin, bleanhar, bmontgom, ccoleman, dedgar, eparis, hchiramm, jburrell, jcajka, jgoulding, jmulligan, jokerman, kramdoss, madam, mchappel, nstielau, rhs-bugs, sankarshan, sisharma, sponnaga, ssaha, storage-qa-internal, tdawson, vbellur |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | kubernetes 1.13.7, kubernetes 1.14.3 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-10 10:56:25 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1715727 |
Description
Dhananjay Arunesh
2019-05-31 05:57:38 UTC
Upstream Fixes: https://github.com/kubernetes/kubernetes/pull/78261 (master) https://github.com/kubernetes/kubernetes/pull/78320 (1.13.7) https://github.com/kubernetes/kubernetes/pull/78316 (1.14.3) Flaw introduced by: https://github.com/kubernetes/kubernetes/pull/76665 (master) https://github.com/kubernetes/kubernetes/pull/77322 (1.13) https://github.com/kubernetes/kubernetes/pull/77320 (1.14) Gluster embeds very old kubernetes version v1.5.5 with heketi, which is not affected by this vulnerability. v1.5.5 ====== 140 uid, username, err := m.getImageUser(container.Image) 141 if err != nil { 142 return nil, err 143 } Statement: This vulnerability only affects upstream Kubernetes versions 1.13.6 and 1.14.2. All released versions of Red Hat OpenShift Container Platform and Red Hat Gluster Storage 3 are not affected by this flaw as they do not contain the vulnerable code. External References: https://discuss.kubernetes.io/t/security-regression-in-kubernetes-kubelet-v1-13-6-and-v1-14-2-only-cve-2019-11245/6584 Mitigation: There are two potential mitigations to this issue: 1. Downgrade to kubelet v1.13.5 or v1.14.1 as instructed by your Kubernetes distribution. 2. Set RunAsUser on all pods in the cluster that should not run as root. This is a Security Context feature; the docs are at https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod |