Bug 1886638 (CVE-2020-8565)
Summary: | CVE-2020-8565 kubernetes: Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9 | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Sam Fowler <sfowler> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aos-bugs, bmontgom, eparis, hchiramm, hvyas, jburrell, jmulligan, jokerman, madam, mfojtik, nstielau, puebele, rhs-bugs, rtalur, security-response-team, sponnaga, storage-qa-internal, sttts, xxia |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | kubernetes 1.20.0, kubernetes 1.19.6, kubernetes 1.18.14, kubernetes 1.17.16 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in kubernetes. In Kubernetes, if the logging level is to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like `kubectl`. Previously, CVE-2019-11250 was assigned for the same issue for logging levels of at least 4.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-05-19 14:33:32 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1887316, 1887317, 1887318, 1888342, 1888539, 1892332, 1892333, 1892334, 1892335, 1892336, 1892337, 1895417 | ||
Bug Blocks: | 1883756 |
Description
Sam Fowler
2020-10-09 01:47:58 UTC
Upstream Fix: https://github.com/kubernetes/kubernetes/pull/95316 Acknowledgments: Name: the Kubernetes Product Security Committee Upstream: Patrick Rhomberg (purelyapplied) External References: https://groups.google.com/g/kubernetes-announce/c/ScdmyORnPDk https://github.com/kubernetes/kubernetes/issues/95623 This issue has been addressed in the following products: Red Hat OpenShift Container Storage 4.7.0 on RHEL-8 Via RHSA-2021:2041 https://access.redhat.com/errata/RHSA-2021:2041 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-8565 This issue has been addressed in the following products: Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8 Via RHSA-2021:5085 https://access.redhat.com/errata/RHSA-2021:5085 This issue has been addressed in the following products: Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8 Via RHSA-2021:5086 https://access.redhat.com/errata/RHSA-2021:5086 |