June 05, 2019
This advisory was first communicated by email, on the date mentioned above, to all Rancher customers with a then active support subscription.
Please note that the Rancher releases addressing CVE-2019-12303 and CVE-2019-12274 are now available. Click on the links below for the specific release announcements:
Dear Rancher Customer,
This is an advisory heads-up on two security vulnerabilities discovered in Rancher. One of these vulnerabilities affects Rancher v1.6 and v2.x whilst the other's scope is limited to Rancher v2.x only. Both these vulnerabilities do not apply to RancherOS. Below is a high-level summary of the two vulnerabilities:
(1) CVE-2019-12303 was found and reported by Tyler Welton from Untamed Theory. The CVE applies to Rancher versions v2.0.0 - v2.2.3.
This vulnerability allows Project owners to inject an extra fluentd logging configuration that makes it possible to read files or execute arbitrary commands inside the fluentd container.
(2) CVE-2019-12274 was discovered by Rancher Engineering team. The CVE applies to Rancher versions v1.6.0 - v1.6.27 (Cattle and Kubernetes users) and v2.0.0 - v2.2.3.
This vulnerability affects built-in node drivers having a file path option that allows machine to read arbitrary files―including sensitive ones like `/root/.kube/config`―from inside the Rancher server container. This can result in the machine creator gaining unauthorized access to the Rancher management plane.
We are currently working on providing fixes that will address both these vulnerabilities. We expect to make a Rancher release next week (week beginning Mon, June 3rd) that will include these fixes.
Stay tuned. We will update you with a follow-up communication closer to the release.
If there are any questions, simply submit a request via this portal referencing this article and we will track and respond to your question as a Support Ticket.
Rancher Support Team