#VU30804 Permissions, Privileges, and Access Controls in Kubernetes - CVE-2019-11247
Vulnerability identifier: #VU30804
Vulnerability risk: High
CVSSv4.0: 6.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID:
CWE-ID:
CWE-264
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Kubernetes
Server applications /
Frameworks for developing and running applications
Vendor: Kubernetes
Description
The vulnerability allows a remote authenticated user to read and manipulate data.
The Kubernetes kube-apiserver mistakenly allows access to a cluster-scoped custom resource if the request is made as if the resource were namespaced. Authorizations for the resource accessed in this manner are enforced using roles and role bindings within the namespace, meaning that a user with access only to a resource in one namespace could create, view update or delete the cluster-scoped resource (according to their namespace role privileges). Kubernetes affected versions include versions prior to 1.13.9, versions prior to 1.14.5, versions prior to 1.15.2, and versions 1.7, 1.8, 1.9, 1.10, 1.11, 1.12.
Mitigation
Install update from vendor's website.
Vulnerable software versions
Kubernetes: 1.15.0 - 1.15.1
External links
https://access.redhat.com/errata/RHBA-2019:2816
https://access.redhat.com/errata/RHBA-2019:2824
https://access.redhat.com/errata/RHSA-2019:2690
https://access.redhat.com/errata/RHSA-2019:2769
https://github.com/kubernetes/kubernetes/issues/80983
https://groups.google.com/d/msg/kubernetes-security-announce/vUtEcSEY6SM/v2ZZxsmtFQAJ
https://security.netapp.com/advisory/ntap-20190919-0003/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
