Bug 1732192 (CVE-2019-11247) - CVE-2019-11247 kubernetes: API server allows access to cluster-scoped custom resources as if resources were namespaced
Summary: CVE-2019-11247 kubernetes: API server allows access to cluster-scoped custom ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-11247
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1732201 1732202 1732203 1732204 1732205 1737646
Blocks: 1732194
TreeView+ depends on / blocked
 
Reported: 2019-07-23 01:55 UTC by Sam Fowler
Modified: 2023-09-07 20:17 UTC (History)
39 users (show)

Fixed In Version: kubernetes 1.13.9, kubernetes 1.14.5, kubernetes 1.15.2, kubernetes 1.16.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-28 19:07:19 UTC
Embargoed:
msweiker: needinfo-
msweiker: needinfo-

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:3213 0 None None None 2019-10-29 10:14:22 UTC
Red Hat Product Errata RHSA-2019:2504 0 None None None 2019-08-15 13:27:33 UTC
Red Hat Product Errata RHSA-2019:2690 0 None None None 2019-09-11 15:28:36 UTC
Red Hat Product Errata RHSA-2019:2769 0 None None None 2019-10-24 03:07:46 UTC

Description Sam Fowler 2019-07-23 01:55:11 UTC 
The Kubernetes API server mistakenly allows access to a cluster-scoped custom resource if the request is made as if the resource were namespaced.  Authorizations for the resource accessed in this manner are enforced using roles and role bindings within the namespace, meaning that a user with access only to a resource in one namespace could create, view update or delete the cluster-scoped resource (according to their namespace role privileges).
Comment 1 Sam Fowler 2019-07-23 01:56:32 UTC 
Acknowledgments:

Name: the Kubernetes Product Security Committee
Comment 4 Sam Fowler 2019-08-05 23:39:47 UTC 
Upstream Issue:

https://github.com/kubernetes/kubernetes/issues/80983
Comment 5 Sam Fowler 2019-08-05 23:41:45 UTC 
External References:

https://groups.google.com/forum/#!topic/kubernetes-security-discuss/Vf31dXp0EJc
Comment 6 Sam Fowler 2019-08-05 23:44:02 UTC 
Created kubernetes tracking bugs for this issue:

Affects: fedora-all [bug 1737646]
Comment 13 errata-xmlrpc 2019-08-15 13:27:31 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.1

Via RHSA-2019:2504 https://access.redhat.com/errata/RHSA-2019:2504
Comment 14 Product Security DevOps Team 2019-08-15 14:47:10 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-11247
Comment 18 Product Security DevOps Team 2019-08-28 19:07:19 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-11247
Comment 19 errata-xmlrpc 2019-09-11 15:28:34 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.10

Via RHSA-2019:2690 https://access.redhat.com/errata/RHSA-2019:2690
Comment 20 errata-xmlrpc 2019-10-24 03:07:43 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.9

Via RHSA-2019:2769 https://access.redhat.com/errata/RHSA-2019:2769
Note You need to log in before you can comment on or make changes to this bug.