Shulou(Shulou.com)06/02 Report--

On Sept. 19, Beijing time, Kubernetes released a vulnerability numbered CVE-2019-11251, which was marked as a medium security issue. The Kubernetes versions affected are v1.13.10, v1.14.6, and v1.15.3. After analysis, the Rancher security risk assessment team believes that this Kubernetes CVE will not affect the security issues of Rancher products, so there is no need to release 2.1.x and 2.2.x immediately, and we will upgrade the kubectl version used in Rancher UI in the first maintenance release of the next quarter.

CVE-2019-11251

If you are not sure whether the version you are using is affected by a security vulnerability, you can run the command kubectl version-client. If the Kubernetes version it returns is v1.13.10, v1.14.6, and v1.15.3, it is recommended that you upgrade as soon as possible. For more information, please see:

Https://kubernetes.io/docs/tasks/tools/install-kubectl/

Vulnerability details

This vulnerability is very similar to CVE-2019-1002101 and CVE-2019-11246. The vulnerability allows a combination of two symlink to copy files outside of their target directory. This allows * * to place netfarious files using symlink other than the target tree.

In Kubernetes 1.16, this problem was fixed by removing support for symlink in kubectl cp. Officials recommend that you use a combination of the exec command line and the tar package instead. For details, please refer to:

Https://github.com/kubernetes/kubernetes/pull/82143

According to this security vulnerability, there is another way to fix it: change the logic of kubectl cp un-tar symlink and extract symlink by unzipping all regular files. This ensures that the file cannot be written through symlink. This fix is updated in v1.15.4, v1.14.7, and v1.13.11.

Kubernetes 1.16Releases

Kubernetes released its third new version 1.16 in 2019 on September 18, US time. This version consists of 31 enhancements: 8 stable, 8 beta, and 15 alpha. This version update mainly focuses on the following four aspects:

Custom resources:CRD is a lightweight mechanism for Kubernetes extensions that ensures the use of new types of resources. In version 1.16, CRD is officially GA.

Admission webhooks:Admission webhook is the extension mechanism of Kubernetes, and the beta version is already available in version 1.9, and Admission webhook is also officially GA in 1.16.

Overhauled metrics: global metrics registry has been widely used by Kubernetes to register the metrics to be exposed. By implementing metrics registry,metrics, you can register in a more transparent way. Before that, Kubernetes metrics was excluded from any stability requirements.

Volume Extension: there are a number of enhancements related to volume and volume modifications in this update. Support for Volume resizing in the CSI specification is moving to the Beta version, which allows any CSI spec Volume plug-in to be resized.

For more details of the new version, please refer to:

Https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.16.md#v1160

The Countermeasures of Rancher

After analysis, the Rancher security risk assessment team confirmed that this Kubernetes CVE will not affect the security issues of Rancher products, so the Rancher team will not immediately release new 2.1.x and 2.2.x fixes, but will upgrade the kubectl version used in Rancher UI in the first maintenance release planned for next quarter.

When a user copies files from the container to the host, the upstream CVE affects the kubectl cp command, which in turn causes the host to allow two symlink to copy files outside the target directory. But this scenario has nothing to do with the kubectl used in Rancher UI, because each kubectl session only starts a temporary data store, which disappears when the session is closed.

This CVE will not affect the security of the Rancher product itself, and in theory it does not fall within the scope of Rancher product support, but the Rancher team still recommends that Rancher 2.x users upgrade their local kubectl version, and Rancher will also upgrade the kubectl version used in Rancher UI in the first maintenance release planned for next quarter.

For Rancher enterprise subscribers, if you have any concerns about the K8S CVE and want more security advice or upgrade guides, you can contact Rancher Support Team for technical support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.