Skip to Content.
Sympa Menu

cv-announce-l - [cv-announce-l] kubectl Path Traversal (CVE-2019-11246)

Please Wait...

cv-announce-l@list.iu.edu

Subject: cv alerts list

List archive

[cv-announce-l] kubectl Path Traversal (CVE-2019-11246)


Chronological Thread  
  • From: Andrew K Adams <akadams@psc.edu>
  • To: cv-announce@trustedci.org
  • Cc: "Andrew K. Adams" <akadams@psc.edu>
  • Subject: [cv-announce-l] kubectl Path Traversal (CVE-2019-11246)
  • Date: Tue, 25 Jun 2019 16:36:51 -0400
  • Authentication-results: external-relay.iu.edu; spf=PermError smtp.pra=akadams@psc.edu; spf=SoftFail smtp.mailfrom=akadams@psc.edu; spf=None smtp.helo=postmaster@relay9-d.mail.gandi.net
  • Ironport-phdr: 9a23:Fa5fJhCQMU/VSOd1fc26UyQJP3N1i/DPJgcQr6AfoPdwSP37psiwAkXT6L1XgUPTWs2DsrQY0rCQ6vyrADZQqdbZ6TZeKcUKD0dEwewt3CUYSPafDkP6KPO4JwcbJ+9lEGFfwnegLEJOE9z/bVCB6le77DoVBwmtfVEtfre9FYHdldm42P6v8JPPfQpImCC9YbRvJxmqsAndrMYbjZZ8Jqor1xfErXREd/lIyW5rOFmfmwrw6tqq8JNs7ihcpugt+9JcXan/Yq81UaFWADM6Pm4v+cblrwPDTQyB5nsdVmUZjB9FCBXb4R/5Q5n8rDL0uvJy1yeGM8L2S6s0WSm54KdwVBDokiYHOCUn/2zRl8d9kbhUoBOlpxx43o7UfISYP+dwc6/BYd8XQ3dKU91PXCJdHIyzc4oPD/IAPelGqYn9u0AOpga6CQW1Ge/j1iNEinrw0KI9zuohDBrG3BQ+EN0SrHTaotL1NKIIXuC0yqnD0DHPYvxS1Dv47oXDbxIvruyWXb9ofsXfyUchGQDYgFuOtYPoJCma2vgXvmWB8+ZsSeCihmg6oA9xuDivwcIsh5HVi4IT11/E7zt2wYgoLtO9VUV2fcOrH4FVtyGBKoB7RdktQ2Jytykn0LIGvIW7cTMSyJQ82xHTceKIfJWV4h/6UuuaPDl2hHVgeL2lhhay91CtyvbiWcao1FZKrzFFksXXtnwX0BzT8MeHRuN+/ke8wjmAyRrT6udaLkAoi6XbMIQtwr83lpYLvkTDGSj2mEryjKCIbEkr5u+o6+H/brXnoJ+cOYh0ihrgPasyh8y/G+U4MhQOXmSC/OSzzrLj8lf4QbVLiP05jLPVv4zdJcQevqK5HxVV0ps46xajETipzcgXnXgdIFJCYhKHgI7kMEzNLvDgFfqznUmgnTVxy/3EIrHtGIjBI3vNnbv7YLpw70pRxBItwdxD459YELIMLfLpVkPvqdDVDAU1Pgyqz+vhFd5zzJkRWXiVDa+cKK7SsUGH5uYoI+SUfo8apjL9JOIl5vPqlHM2hEURfayz0psWbHC0BPtmLF+fYXXxg9cNC2EKsRQiTODyiV2CVyBcZ2qqUq4i+z02CpiqAIXfSoy3nbCM3ym2EodLam1CDl2ACXLoeJ+FW/cIZiKSOMhhkjkcWLe7SI8uzwyhuxX/y7p8NefU4jYYuo752Ndr+uLTiAk+9SZoAMSFz2GNU2Z0k3sUSD8oxaxwu0p9ylGE0ahlhfxXCcJc6+pNUgohMZ7czvd6C8zoVgLAY9eFUkipTci7AWJ5ctVkyMFLakB7HMikhR3rwzC3GKMYm7eKQpsu/fHyxX/0cu97x2zLy+ECx3AqS85UfTmvhadz/g3IL5bSmAOUm7v8JvdU5zLE6GrWlTnGh0pfSgMlFPicBypNT1bKrdn/+kLJRqOvDrJiCAZa1MqeMfIUMo/knUlLXvHqPJHEbma4iiGxGFCFyq7fJJHydTAl0T/YJVIelBpb5nOaLU4mHC70qmHXADVrDnr3eEiq/OVj+zugVkFh9AaEc2No1r794RsJnbqZQvIX0KgDvXIoqDx4FVOm98rNAJyNqxcyNL5Eb4Yb51FKnXncqxQ7PpGkKPV6gUUCdg1so070/w96DoxRwI0m6nYjzQ40Jque3FIHcT6EhMqiALDcJ2js8RzqUJb4hg6Cgu6b4KIi8u4/sR2jsRG1G1Ak+nEiydRR2mra54iMAQYPA9r6W0Ax8AQyrLbAeCQ2+4fFsB8keaiyrjLYw8gkGKM+xxCscs0XOb6YFAL0D8wRBtS/YO0slV+zaxsYPedUvKAuOMbue/yD0a+tdOFu+VDuxW1E6Yx011mk7zF3DOPEwtdNwv2V2BeGSyaplE2o4Yj8nYFJYy1XH3Lqk3G7QtEJIPQiJsBSWDb9Rq//js9zjJPsRXNCoVOzG14c3satPACfa1XsmwxNk0kbvC/C+2PwwjpqnjUutqfa0jbJxrGofRkONmdOX0F6llyqLISpxYNSTA2zYg4lmQHwr0/5zqRSob9XN3LYB0pEYmKlSgMqGrv1vb2EbclV7ZouuigCS+Wwb2eRTbvlqgcb2SfuTCNOgSo2fDawttDljgR33SiDeW1roiCfIYsjoHWXrMyZX/Na2SAKATV1mSWCTEbpJMGnp5PM0I/Zu6i7RyqgTsEBKHO7i9rQ7m3jozUtWEPa/bj7m8W7Q1Fri2mij4AsDH6Z6k67ONWj1rzkY7g/JhA6WVKsuZg9Qdsb8MN4hZcb3WUWi8ei5mIJ12j0Ntpf1OT1a39FRDgAx8PZ7VrogkhqaHSE28rvX3GZiJI7NeO3aW4XxC8xqvtyJvvLtO5/miVpjFO5qUqRbOhhky0bwP9r8nMeivBPuRdrwymAUPgeGkxRPCqkkBrtjZj2paZeaG+qapCoz0E4kNy8RLCZ6gBaU3L4fJouVTN3psN4LBrA3Wby5YftZNSYN4tM8ELM1U6Q1K4MecNU9LJCjDEvIW/nuHw51+M3xQdj2523psnPKmlg+r64Hg8NMzT0Y80J/TS+6MQW1s2S3o2pAtBgAmBRBcSuEqruSWJJ8622ZlXGCjA3p3aFFKCKEB+D5V1gpnaKCZ2vPmDRJWRfwNl/F3z/bARShh4ZWDIik9s3DAevkYboc0517zUKzkbjoV1Bxv8iZFHvF3zSogulcGJ+QZuWIBNT9Sla/EyTPMCDpLEWfWkQ7tiqqwqDLXaebgJDADQSW0CKMFvkO6Gn+djK9+XLTvr7NfbFZq+C7PBPT/rdj4z6yZNopnzfU6fHdmknFfAw3VBPGGx0C9iM0StaUDQZzmrIf4aavEvuo3cn6JnvqrKzHlqovNXqafMaMM0zqUnn2+Hab7fW3X0ob24fjM9ExGeWmuJHhAdA1iw+JWvqSu5l12aFTaTbnrJbAkwscDt9csRP6K04009GPsuTi9X+0qN0g6w4UVJME1rshom/bMgOaTjnZmnKD0uKKrmKYAbz7ZqtPPGaTrtdxKVZpwG9ozCSFwr5MzCKhn/oSlaiPfwexCecdAdTvo2waF5kFHTjQdT6axa6LM4S73V+wLs6gWnPPHIdNj40el1Er7mZ5ydVyvtlHGkJ4n1gJOiC0yGXiouQYo4RquduCz9omvhy+nk+wqoEqS0CQfV0nG3dp9hiohegn/XOgjtrXRxSqypa0YKGuUIxXMeRvpJEWHvC4FcM9TDKUktM+IMjU420/fkBm4uHjq/4JTZc/siB8NsACtLSIcbCKnclOAuvGSOSAQcYHlvJfSnSgVJQlPaK+zibtJ8//9Llm5MCQ7pAfEQuHbUXBlkvT7lgaN9nGygpl7KWlptC/X2lsBzYX9lXpLjdW/abEKSqJHCchLhAIRQBx7/5a4IeKseovi4qIkk/l4PMFU3KWNlLqSA0dQ44rnJG931mR3Ey0UboM1L/0DooDfex2yUOpE57aOUp+i3r5gZlPkHB4iY8jRtqwIi3sXWqaDf0aZyIc8RWBi7z7RVjKJ7/ShckKAH0mEVlMHHLTrRdjv1meHw50FaA66sKIuZVSOh/WDFV3eueNqcwyl8apym6lxFK

CI Operators:


A high-severity path traversal vulnerability in Kubernetes (CVE-2019-11246) has been announced [1][2][3].  The issue, in the ‘kubectl cp’ command, arises from a directory traversal bug when processing tar files moved out of the container, and it affects the client’s host.   


Impact:

A malicious container can create or replace arbitrary files on a user’s host.


Affected Software: 

* Kubernetes 1.12.x < 1.12.9

* Kubernetes 1.13.x < 1.13.6

* Kubernetes 1.14.x < 1.14.2


Run ‘kubectl version --client’ to view version information [4].


Recommendation:

Upgrade to Kubernetes 1.12.9, 1.13.6 or 1.14.2.


References:

[1] https://seclists.org/oss-sec/2019/q2/194

[2] https://www.infosecurity-magazine.com/news/incomplete-fix-leads-to-new-1-1

[3] https://groups.google.com/forum/#!topic/kubernetes-security-announce/NLs2TGbfPdo

[4] https://kubernetes.io/docs/tasks/tools/install-kubectl/ 


How Trusted CI can help:

The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Trusted CI can not provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us (http://trustedci.org/help/) if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.




  • [cv-announce-l] kubectl Path Traversal (CVE-2019-11246), Andrew K Adams, 06/25/2019

Archive powered by MHonArc 2.6.24.

Top of Page