Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CADtktAVB-QncVS9OcDzceb0_6+8OY_b3xQ2Sag+r9m_f80f4+g@mail.gmail.com>
Date: Tue, 6 Aug 2019 09:35:44 -0700
From: Tim Allclair <tallclair@...gle.com>
To: "Kubernetes developer/contributor discussion" <kubernetes-dev@...glegroups.com>, 
	kubernetes-security-announce@...glegroups.com, 
	kubernetes-security-discuss@...glegroups.com, oss-security@...ts.openwall.com
Subject: [ANNOUNCE] CVE-2019-11248: /debug/pprof exposed on kubelet's healthz port

Hello Kubernetes Community,

The debugging endpoint /debug/pprof is exposed over the unauthenticated
Kubelet healthz port. Versions prior to 1.15.0, 1.14.4, 1.13.8, and 1.12.10
are affected. The issue is of medium severity, but only exposed locally by
the default configuration. If you are exposed we recommend upgrading to at
least one of the versions listed.

Am I vulnerable?

By default, the Kubelet exposes unauthenticated healthz endpoints on port
:10248, but only over localhost. If your nodes are using a non-localhost
healthzBindAddress (--health-bind-address), and an older version, you may
be vulnerable. If your nodes are using the default localhost
healthzBindAddress, it is only exposed to pods or processes running in the
host network namespace.

Run `kubectl get nodes` to see whether nodes are running a vulnerable
version.

Run `kubectl get --raw /api/v1/nodes/${NODE_NAME}/proxy/configz` to check
whether the "healthzBindAddress" is non-local.

How do I mitigate the vulnerability?

Upgrade to the latest patch releases for 1.15, 1.14 or 1.13

Or, update node configurations to set the "healthzBindAddress" to
"127.0.0.1".

Vulnerability Details

The go pprof <https://golang.org/pkg/net/http/pprof/> endpoint is exposed
over the Kubelet's healthz port. This debugging endpoint can potentially
leak sensitive information such as internal Kubelet memory addresses and
configuration, or for limited denial of service.

This issue has been filed as CVE-2019-11248. See
https://github.com/kubernetes/kubernetes/issues/81023 for more details

Thanks to Jordan Zebor of F5 Networks for reporting this problem.

Thank You,

Tim Allclair on behalf of the Kubernetes Product Security Committee

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.