Bug 1703209 (CVE-2019-11244) - CVE-2019-11244 kubernetes: Schema info written with world-writeable permissions when cached
Summary: CVE-2019-11244 kubernetes: Schema info written with world-writeable permissio...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-11244
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1703214 1703210 1703211 1703212 1703213 1718484 1718485 1718486 1718487 1760269 1771837
Blocks: 1703215
TreeView+ depends on / blocked
 
Reported: 2019-04-25 20:03 UTC by Pedro Sampaio
Modified: 2020-03-18 04:36 UTC (History)
36 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in kubectl that leaves http-cache files with read/write permissions for any user. In conjunction with a non-default value for --cache-dir, this may lead to the cache content being placed in a location accessible to other users on the system.
Clone Of:
Environment:
Last Closed: 2019-11-21 13:04:49 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:3942 None None None 2019-11-21 10:05:32 UTC
Red Hat Product Errata RHSA-2020:0020 None None None 2020-01-14 07:08:23 UTC
Red Hat Product Errata RHSA-2020:0074 None None None 2020-01-21 15:05:21 UTC

Description Pedro Sampaio 2019-04-25 20:03:40 UTC
In Kubernetes v1.8.x-v1.14.x, schema info is cached by kubectl in the location specified by --cache-dir (defaulting to $HOME/.kube/http-cache), written with world-writeable permissions (rw-rw-rw-). If --cache-dir is specified and pointed at a different location accessible to other users/groups, the written files may be modified by other users/groups and disrupt the kubectl invocation.

Upstream issue:

https://github.com/kubernetes/kubernetes/issues/76676

Comment 1 Pedro Sampaio 2019-04-25 20:04:14 UTC
Created containernetworking-cni tracking bugs for this issue:

Affects: epel-7 [bug 1703214]


Created kubernetes tracking bugs for this issue:

Affects: fedora-all [bug 1703211]


Created kubernetes:1.1/kubernetes tracking bugs for this issue:

Affects: fedora-29 [bug 1703210]


Created kubernetes:openshift-3.10/origin tracking bugs for this issue:

Affects: fedora-29 [bug 1703212]


Created origin tracking bugs for this issue:

Affects: fedora-all [bug 1703213]

Comment 5 Hardik Vyas 2019-05-22 09:44:03 UTC
Gluster ships very old kubernetes version v1.5.5 which is not affected by this vulnerability.

Comment 10 Dave Baker 2019-06-07 22:41:49 UTC
Statement:

OpenShift Container Platform includes kubectl.  OCP 3.9 and later include this same flaw.

This issue does not affect the version of Kubernetes (embedded in heketi) shipped with Red Hat Gluster Storage 3 as it does not contain the vulnerable functionality.

Comment 12 Dave Baker 2019-06-07 23:34:16 UTC
Mitigation:

Do not use --cache-dir, or ensure that --cache-dir is not set to a location that other users have access to.

Comment 13 Dave Baker 2019-06-07 23:36:02 UTC
External References:

https://github.com/kubernetes/kubernetes/issues/76676

Comment 16 errata-xmlrpc 2019-11-21 10:05:30 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.1

Via RHSA-2019:3942 https://access.redhat.com/errata/RHSA-2019:3942

Comment 17 Product Security DevOps Team 2019-11-21 13:04:49 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-11244

Comment 18 errata-xmlrpc 2020-01-14 07:08:22 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2020:0020 https://access.redhat.com/errata/RHSA-2020:0020

Comment 19 errata-xmlrpc 2020-01-21 15:05:17 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.1

Via RHSA-2020:0074 https://access.redhat.com/errata/RHSA-2020:0074


Note You need to log in before you can comment on or make changes to this bug.