Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 6 Aug 2019 09:35:44 -0700
From: Tim Allclair <tallclair@...gle.com>
To: "Kubernetes developer/contributor discussion" <kubernetes-dev@...glegroups.com>, 
	kubernetes-security-announce@...glegroups.com, 
	kubernetes-security-discuss@...glegroups.com, oss-security@...ts.openwall.com
Subject: [ANNOUNCE] CVE-2019-11248: /debug/pprof exposed on kubelet's healthz port

Hello Kubernetes Community,

The debugging endpoint /debug/pprof is exposed over the unauthenticated
Kubelet healthz port. Versions prior to 1.15.0, 1.14.4, 1.13.8, and 1.12.10
are affected. The issue is of medium severity, but only exposed locally by
the default configuration. If you are exposed we recommend upgrading to at
least one of the versions listed.

Am I vulnerable?

By default, the Kubelet exposes unauthenticated healthz endpoints on port
:10248, but only over localhost. If your nodes are using a non-localhost
healthzBindAddress (--health-bind-address), and an older version, you may
be vulnerable. If your nodes are using the default localhost
healthzBindAddress, it is only exposed to pods or processes running in the
host network namespace.

Run `kubectl get nodes` to see whether nodes are running a vulnerable
version.

Run `kubectl get --raw /api/v1/nodes/${NODE_NAME}/proxy/configz` to check
whether the "healthzBindAddress" is non-local.

How do I mitigate the vulnerability?

Upgrade to the latest patch releases for 1.15, 1.14 or 1.13

Or, update node configurations to set the "healthzBindAddress" to
"127.0.0.1".

Vulnerability Details

The go pprof <https://golang.org/pkg/net/http/pprof/> endpoint is exposed
over the Kubelet's healthz port. This debugging endpoint can potentially
leak sensitive information such as internal Kubelet memory addresses and
configuration, or for limited denial of service.

This issue has been filed as CVE-2019-11248. See
https://github.com/kubernetes/kubernetes/issues/81023 for more details

Thanks to Jordan Zebor of F5 Networks for reporting this problem.

Thank You,

Tim Allclair on behalf of the Kubernetes Product Security Committee

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.