Shulou(Shulou.com)06/02 Report--

Today, Kubernetes released a series of patches to fix two newly discovered security vulnerabilities CVE-2019-1002101 (kubectl cp command security vulnerability) and CVE-2019-9946 (CNI port mapping plug-in vulnerability). Rancher is also urgently updated with a series of new releases to support patched versions of Kubernetes.

This article will introduce the details, principles, affected versions and upgrade recommendations of CVE-2019-1002101 and CVE-2019-9946, as well as the countermeasures that Rancher provides to users.

CVE-2019-1002101

Details and principles of vulnerabilities

CVE-2019-1002101 is a security vulnerability in the kubectl cp command with a severity level of [high]. People who use the kubectl cp command can replace or delete files on the user's workstation and write malicious files to any path on the user's computer.

The kubectl cp command allows files to be copied between the container and the user's computer. To copy files from the container, Kubernetes creates a tar in the container, copies it over the network, and kubectl unzips it on the user's machine.

If the tar binary in the container is malicious, it can run any code and output unexpected malicious results. When a user calls kubectl cp, the user can use it to write files to any path on the user's computer, and only the system permissions of the local user may restrict this operation.

Affected versions and upgrade recommendations

Which version of the user will be affected by this vulnerability? Try running kubectl version-client to check, except for 1.11.9, 1.12.7, 1.13.5, 1.14.0, or later, all are vulnerable versions.

All users who use the vulnerable version are advised to upgrade to the patch version released by Kubernetes today: 1.11.9, 1.12.7, 1.13.5, 1.14.0.

For the installation and setup of kubectl, you can refer to the instructional tutorial of this link:

Https://kubernetes.io/docs/tasks/tools/install-kubectl/

CVE-2019-9946

Details and principles of vulnerabilities

CVE-2019-9946 is a security vulnerability in the Kubernetes CNI framework. A security problem was found in the interaction between CNI plug-in port mapping and Kubernetes prior to 0.7.5, with a severity level of [medium]. Because the CNI port mapping plug-in is embedded in the Kubernetes version, this issue can only be resolved by upgrading to a new version of Kubernetes.

Prior to this fix, the CNI plug-in inserts rules before the iptables nat chain when we configure the HostPorts port mapping method, which takes precedence over the KUBE- SERVICES chain. Therefore, when incoming traffic, the traffic will first pass through the rules of HostPort, and even if more appropriate and specific service definition rules (such as NodePorts) appear in the chain, the rules of HostPort will still match the incoming traffic.

Now that you fix it, change the rule of the port mapping plug-in from "first" to "attach", and you can let the traffic be handled by the KUBE-SERVICES rule first. HostPorts is considered only if the traffic does not match the service.

Affected versions and upgrade recommendations

Because this affects the plug-in interface, it is difficult to determine whether you will be affected by this vulnerability if you do not fully understand your Kubernetes configuration. Kube-proxy configuration in IPVS mode, coupled with pod using the HostPort port mapping type, is certain to be affected by this vulnerability. However, it is also important to note that other network configurations may also use CNI's portmap port mapping plug-in.

Run kubectl version-- short | grep Server, if it shows that you are not using versions 1.11.9, 1.12.7, 1.13.5, and 1.14.0 or later, and if your Kubernetes is paired with a CNI configuration that uses the portmapping plug-in, then you are most likely affected by this vulnerability.

But don't be particularly worried about upgrading to the latest patched versions of Kubernetes (1.11.9, 1.12.7, 1.13.5, and 1.14.0) as described by the management tool or vendor.

Rancher has released the latest version to deal with this vulnerability.

This time, as always, after the vulnerabilities of Kubernetes itself, the Rancher Labs team responded as soon as possible to ensure the security of users who use the Rancher platform to manage Kubernetes clusters.

If you are using the Rancher platform to manage Kubernetes clusters, don't worry, Rancher has released the latest version today, which supports Kubernetes versions with bug fixes (1.11.9, 1.12.7 and 1.13.5) to protect all Rancher users' Kubernetes clusters from this vulnerability.

If the version you use may be affected by these two vulnerabilities, you can upgrade to the following three latest Rancher versions released today:

Rancher 2.2.1

Rancher 2.1.8

Rancher 2.0.13

For Rancher 1.6.x users, we have added support for Kubernetes v1.11.9 and v1.12.7 to the Catalog (application directory) of Rancher v1.6.26. You can upgrade to Rancher v1.6.26 and the new version will be available the next time the directory is automatically refreshed.

Escort the user's journey of Docker & K8S

With more than 100 million downloads on the Rancher Kubernetes platform, we are well aware of the importance of security issues to users, not to mention the tens of millions of users who run Docker and Kubernetes in a production environment through the Rancher platform.

CVE-2018-1002105, the first serious security vulnerability exposed by Kubernetes at the end of 2018, was discovered by Darren Shepherd, co-founder and chief architect of Rancher Labs.

When Kubernetes exposed the dashboard and external IP proxy security vulnerability CVE-2018-18264 in January 2019, Rancher Labs was also the first to respond to users, ensuring that all Rancher 2.x and 1.6.x users were completely unaffected by the vulnerability.

The serious runc container escape vulnerability CVE-2019-5736 in February 2019 affected most Docker and Kubernetes users. The Rancher Kubernetes management platform and RancherOS operating system were urgently updated in less than a day. It was the first platform in the industry to urgently release a new version to support Docker patches. It also helped to reverse port the fixes to all versions of Docker and provide them to users. It also provides a fix for the Linux 3.x kernel that is not officially supported by Docker.

Responsible, reliable, rapid response, user-centered, is always the original intention of Rancher; every time there are problems in the industry, rigorous and steadfast to provide users with corresponding solutions, but also Rancher's way of doing things as always. In the future, Rancher will, as always, support and guard the Kubernetes road of users, ensuring that all enterprise users can move forward safely, safely and safely.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.