January 28, 2019
This advisory was first communicated by email, on the date mentioned above, to all Rancher customers with a then active support subscription.
UPDATE on the heads-up email from last week:
Please note that the Rancher release addressing the CVEs below is scheduled for the morning (US Pacific) of Tuesday, January 29, 2019.
Dear Rancher Customer,
We want to give you an advisory heads up on two security vulnerabilities that we have discovered, in Rancher 2.x, both of which result in a privilege escalation situation. These vulnerabilities do not apply to Rancher 1.6.x or RancherOS products.
The vulnerabilities apply to versions 2.0.0 - 2.1.5 of Rancher:
- CVE-2018-20321 was first discovered by two Rancher community users.
- CVE-2019-6287 was discovered by Rancher QA team.
We are currently working on providing fixes that will address these two vulnerabilities. We expect to make a Rancher release the week of January 28 that will address both these items.
Stay tuned. We will update you with a follow up communication closer to the release.
If there are any questions, simply submit a request via this portal referencing this article and we will track and respond to your question as a Support Ticket.
Rancher Support Team