Bug 1732192 (CVE-2019-11247)

Summary: CVE-2019-11247 kubernetes: API server allows access to cluster-scoped custom resources as if resources were namespaced
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ahardin, akaiser, bleanhar, bmontgom, ccoleman, dedgar, dominik.mierzejewski, eparis, go-sig, hchiramm, ichavero, jbrooks, jburrell, jcajka, jchaloup, jgoulding, jmulligan, jokerman, kramdoss, madam, mchappel, mmariyan, msweiker, nhorman, nstielau, puebele, rhs-bugs, sankarshan, security-response-team, sfowler, sisharma, sponnaga, storage-qa-internal, strigazi, sttts, tstclair, vbatts, vbellur, yjog
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---Flags: msweiker: needinfo-
msweiker: needinfo-
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kubernetes 1.13.9, kubernetes 1.14.5, kubernetes 1.15.2, kubernetes 1.16.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-28 19:07:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1732201, 1732202, 1732203, 1732204, 1732205, 1737646    
Bug Blocks: 1732194    

Description Sam Fowler 2019-07-23 01:55:11 UTC
The Kubernetes API server mistakenly allows access to a cluster-scoped custom resource if the request is made as if the resource were namespaced.  Authorizations for the resource accessed in this manner are enforced using roles and role bindings within the namespace, meaning that a user with access only to a resource in one namespace could create, view update or delete the cluster-scoped resource (according to their namespace role privileges).

Comment 1 Sam Fowler 2019-07-23 01:56:32 UTC
Acknowledgments:

Name: the Kubernetes Product Security Committee

Comment 4 Sam Fowler 2019-08-05 23:39:47 UTC
Upstream Issue:

https://github.com/kubernetes/kubernetes/issues/80983

Comment 5 Sam Fowler 2019-08-05 23:41:45 UTC
External References:

https://groups.google.com/forum/#!topic/kubernetes-security-discuss/Vf31dXp0EJc

Comment 6 Sam Fowler 2019-08-05 23:44:02 UTC
Created kubernetes tracking bugs for this issue:

Affects: fedora-all [bug 1737646]

Comment 13 errata-xmlrpc 2019-08-15 13:27:31 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.1

Via RHSA-2019:2504 https://access.redhat.com/errata/RHSA-2019:2504

Comment 14 Product Security DevOps Team 2019-08-15 14:47:10 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-11247

Comment 18 Product Security DevOps Team 2019-08-28 19:07:19 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-11247

Comment 19 errata-xmlrpc 2019-09-11 15:28:34 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.10

Via RHSA-2019:2690 https://access.redhat.com/errata/RHSA-2019:2690

Comment 20 errata-xmlrpc 2019-10-24 03:07:43 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.9

Via RHSA-2019:2769 https://access.redhat.com/errata/RHSA-2019:2769