August 20, 2019
This advisory was first communicated by email, on the date mentioned above, to all Rancher customers with a then active support subscription.
Dear Rancher User,
This week Kubernetes has announced patch versions to address the following two vulnerabilities:
- "Go is affected by two of the vulnerabilities (CVE-2019-9512 and CVE-2019-9514) and so Kubernetes components that serve HTTP/2 traffic (including /healthz) are also affected."
For more details on the announcements, see:
Kubernetes versions that address the above two vulnerabilities are:
This email is to let you know of the Rancher releases that were made available today to enable you to move to one of the above Kubernetes versions. The new Rancher releases are:
- Rancher v2.2.8: release comes with the latest Kubernetes versions - v1.13.10, v1.14.6 (default), v1.15.3 (experimental) - for clusters launched by Rancher. To address Kubernetes CVE-2019-9512 and CVE-2019-9514, we recommend upgrading your Kubernetes clusters to one of these versions.
- Rancher v2.1.13: release comes with the latest Kubernetes version - v1.13.10 (default) - for clusters launched by Rancher. To address Kubernetes CVE-2019-9512 and CVE-2019-9514, we recommend upgrading your Kubernetes clusters to this version.
The Rancher Support Matrix will be updated this week with entries for Rancher v2.2.8 and v2.1.13 respectively.
- Users of Rancher v1.6.x are not impacted by this communication. Kubernetes v1.12.7 is the highest version that is supported in the Rancher v1.6.x.
- Users of Rancher v2.0.x
- The Kubernetes CVEs have been patched in versions v1.13.x, v1.14.x and v1.15.x only. These are Kubernetes versions not supported by Rancher v2.0.x.
- Rancher v2.0.x is currently in the EOM to EOL support phase of its product lifecycle, as described in our terms of service page. Therefore, there isn't a plan to ship a 2.0.x patch release to address the two Rancher vulnerabilities. Should you have an exceptional scenario that necessitates a v2.0.x patch for these two vulnerabilities, please contact support. Otherwise, given the imminent EOL for v2.0.x (November 1st, 2019), we recommend you upgrade Rancher to the latest version.
If there are any questions, simply submit a request via this portal referencing this article and we will track and respond to your question as a Support Ticket.
Rancher Support Team