Rancher Security Advisory: Info on release addressing Rancher CVE-2018-20321 and CVE-2019-6287

Table of Contents

January 28, 2019

This advisory was first communicated by email, on the date mentioned above, to all Rancher customers with a then active support subscription.

UPDATE on the heads-up email from last week:

Please note that the Rancher release addressing the CVEs below is scheduled for the morning (US Pacific) of Tuesday, January 29, 2019.

Dear Rancher Customer,

We want to give you an advisory heads up on two security vulnerabilities that we have discovered, in Rancher 2.x, both of which result in a privilege escalation situation.  These vulnerabilities do not apply to Rancher 1.6.x or RancherOS products.

The vulnerabilities apply to versions 2.0.0 - 2.1.5 of Rancher:

  • CVE-2018-20321 was first discovered by two Rancher community users.
  • CVE-2019-6287 was discovered by Rancher QA team.

For more details on the above, please visit KB articles CVE-2018-20321 and CVE-2019-6287 in the Rancher Support Portal (login required).  

We are currently working on providing fixes that will address these two vulnerabilities.  We expect to make a Rancher release the week of January 28 that will address both these items.

Stay tuned.  We will update you with a follow up communication closer to the release. 

If there are any questions, simply submit a request via this portal referencing this article and we will track and respond to your question as a Support Ticket.


Rancher Support Team

Was this article helpful?
0 out of 0 found this helpful



Article is closed for comments.