Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 682266 (CVE-2019-1002101, CVE-2019-9946) - sys-cluster/kube-apiserver: multiple vulnerabilities (CVE-2019-{9946,1002101)
Summary: sys-cluster/kube-apiserver: multiple vulnerabilities (CVE-2019-{9946,1002101)
Status: RESOLVED FIXED
Alias: CVE-2019-1002101, CVE-2019-9946
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://github.com/kubernetes/kuberne...
Whiteboard: ~2 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-04-01 18:10 UTC by D'juan McDonald (domhnall)
Modified: 2020-03-29 01:20 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2019-04-01 18:10:00 UTC
(https://nvd.nist.gov/vuln/detail/CVE-2019-1002101):
The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes creates a tar inside the container, copies it over the network, and kubectl unpacks it on the user?s machine. If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on the user?s machine when kubectl cp is called, limited only by the system permissions of the local user. The untar function can both create and follow symbolic links.

(https://github.com/kubernetes/kubernetes/pull/75455):
A security issue was discovered with interactions between the CNI (Container Networking Interface) portmap plugin versions prior to 0.7.5 and Kubernetes. The CNI portmap plugin is embedded into Kubernetes releases so new releases of Kubernetes are required to fix this issue. The issue is Medium 4 and upgrading to Kubernetes 1.11.9, 1.12.7, 1.13.5, and 1.14.0 is encouraged to fix this issue if this plugin is used in your environment.

Reference: https://discuss.kubernetes.io/t/announce-security-release-of-kubernetes-affecting-certain-network-configurations-with-cni-releases-1-11-9-1-12-7-1-13-5-and-1-14-0-cve-2019-9946/5713

These issues are resolved in kubectl v1.11.9, v1.12.7, v1.13.5, and v1.14.0.




Gentoo Security Padawan
(domhnall)
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-16 19:25:19 UTC
Tree looks clean now.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-29 01:20:17 UTC
Closing because unstable and noglsa.