January 29, 2019
This advisory was first communicated by email, on the date mentioned above, to all Rancher customers with a then active support subscription.
Dear Rancher Customer,
As communicated in our two earlier emails leading up to this release announcement, two security vulnerabilities were discovered, in Rancher 2.x, both of which result in a privilege escalation situation. These vulnerabilities do not apply to Rancher 1.6.x or RancherOS products.
The vulnerabilities apply to versions 2.0.0 - 2.1.5 of Rancher:
- CVE-2018-20321 was first discovered by Rancher community users Michal Swierczewski & Mateusz Dyminski
- CVE-2019-6287 was discovered by Rancher QA team and Rancher community user Roman v. Gemmeren.
Today, we released Rancher v2.1.6 and v2.0.11 that fixes these two vulnerabilities.
Please visit this blog post that explains both vulnerabilities in more detail, their impact to users, and what can and should be done:
If there are any questions, simply submit a request via this portal referencing this article and we will track and respond to your question as a Support Ticket.
Rancher Support Team