August 06, 2019
This advisory was first communicated by email, on the date mentioned above, to all Rancher customers with a then active support subscription.
Release announcement follow-up
Rancher v2.2.7 and v2.1.12 are now available and address the issues communicated in yesterday's advisory email (see below):
Dear Rancher User,
Kubernetes has announced patch versions today to address the following vulnerabilities:
- CVE-2019-11247, API server allows access to custom resources via wrong scope
- CVE-2019-11249, Incomplete fixes for CVE-2019-1002101 and CVE-2019-11246, kubectl cp potential directory traversal
For more details on the announcements, see:
Kubernetes versions that address CVE-2019-11247 and CVE-2019-11249 are:
This email is to let you know of Rancher releases that will be made available in the next couple of days this week to enable you to move to one of the above Kubernetes versions. The new Rancher releases are:
- Rancher v2.2.7: release comes with the latest Kubernetes versions - v1.13.9, v1.14.5, v1.15.2 - for clusters launched by Rancher. To address Kubernetes CVE-2019-11247 and CVE-2019-11249, we recommend upgrading your Kubernetes clusters to one of these versions.
- Rancher v2.1.12: release comes with the latest Kubernetes version - v1.13.9 only - for clusters launched by Rancher. To address Kubernetes CVE-2019-11247 and CVE-2019-11249, we recommend upgrading your Kubernetes clusters to this version.
In addition to the Kubernetes vulnerabilities, Rancher v2.2.7 and v2.1.12 will address the following two vulnerabilities that were recently discovered in Rancher:
- CVE-2019-14436 - This vulnerability allows a Project Owner (or any lesser role that has the ability to edit role bindings) to grant themselves cluster level role granting them admin access to that cluster. The issue was found and reported by Michal Lipinski at Nokia.
- CVE-2019-14435 - This vulnerability allows authenticated users to potentially extract otherwise private data out of IPs reachable from system service containers used by Rancher. This can include but not only limited to services such as cloud provider metadata services. Although Rancher allow users to configure whitelisted domains for system service access, this flaw can still be exploited by a carefully crafted HTTP request. The issue was found and reported by Matt Belisle and Alex Stevenson at Workiva.
- Users of Rancher v1.6.x are not impacted by this communication.
- Users of Rancher v2.0.x
- The Kubernetes CVEs have been patched in versions v1.13.x, v1.14.x and v1.15.x only. These are Kubernetes versions not supported by Rancher v2.0.x.
- Rancher v2.0.x is currently in the EOM to EOL support phase of its product lifecycle, as described in our terms of service page. Therefore, there isn't a plan to ship a 2.0.x patch release to address the two Rancher vulnerabilities. Should you have an exceptional scenario that necessitates a v2.0.x patch for these two vulnerabilities, please contact support. Otherwise, given the imminent EOL for v2.0.x (November 1st, 2019), we recommend you upgrade Rancher to the latest version.
If there are any questions, simply submit a request via this portal referencing this article and we will track and respond to your question as a Support Ticket.
Rancher Support Team