Bug 1738368 (CVE-2019-11248)
Summary: | CVE-2019-11248 kubernetes: /debug/pprof endpoint exposed on kubelet's healthz port | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Sam Fowler <sfowler> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | ahardin, bleanhar, bmontgom, ccoleman, dedgar, eparis, go-sig, hchiramm, ichavero, jbrooks, jburrell, jcajka, jchaloup, jgoulding, jmulligan, jokerman, kramdoss, madam, mchappel, nstielau, rhs-bugs, sisharma, sponnaga, strigazi, tstclair |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | kubernetes 1.15.0, kubernetes 1.14.4, kubernetes 1.13.8, kubernetes 1.12.10 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-10-27 10:47:35 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1738369, 1738417, 1738418 | ||
Bug Blocks: | 1738370 |
Description
Sam Fowler
2019-08-07 01:26:00 UTC
Created kubernetes tracking bugs for this issue: Affects: fedora-all [bug 1738369] The kubelet healthz endpoint is disabled by default in OCP 3: https://github.com/openshift/origin/blob/release-3.11/pkg/cmd/server/kubernetes/node/options/options.go#L52 This can be confirmed by following the upstream advice to check the value of healthzBindAddress and healthzPort: $ kubectl get --raw /api/v1/nodes/${NODE_NAME}/proxy/configz | jq -r '.kubeletconfig.healthzBindAddress, .kubeletconfig.healthzPort' 127.0.0.1 0 When, healthzPort is set to 0, the healthz endpoint is disabled: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/ The kubelet healthz server is enabled by default on localhost in OCP 4: $ kubectl get --raw /api/v1/nodes/${NODE_NAME}/proxy/configz | jq -r '.kubeletconfig.healthzBindAddress, .kubeletconfig.healthzPort' 127.0.0.1 10248 The /debug/pprof endpoint is enabled at localhost:10248 on all nodes and provides an interface for runtime profiling: https://golang.org/pkg/net/http/pprof/ Statement: OpenShift Container Platform 3 is not vulnerable to this flaw as the kubelet healthz server is disabled by default. OpenShift Container Platform 4 enables the /debug/pprof endpoint on the kubelet healthz server to local traffic only. |