Rancher Security Advisory: Heads-up (update) on Rancher CVE-2019-12303 and CVE-2019-12274

Table of Contents

June 04, 2019

This advisory was first communicated by email, on the date mentioned above, to all Rancher customers with a then active support subscription.

UPDATE on the heads-up email from last week:

Please note that the Rancher release(s) addressing the CVEs below is scheduled for tomorrow - Wednesday, June 05, 2019.

Dear Rancher Customer,

This is an advisory heads-up on two security vulnerabilities discovered in Rancher.  One of these vulnerabilities affects Rancher v1.6 and v2.x whilst the other's scope is limited to Rancher v2.x only.  Both these vulnerabilities do not apply to RancherOS.  Below is a high-level summary of the two vulnerabilities:

(1) CVE-2019-12303 was found and reported by Tyler Welton from Untamed Theory. The CVE applies to Rancher versions v2.0.0 - v2.2.3.

This vulnerability allows Project owners to inject an extra fluentd logging configuration that makes it possible to read files or execute arbitrary commands inside the fluentd container.

(2) CVE-2019-12274 was discovered by Rancher Engineering team. The CVE applies to Rancher versions v1.6.0 - v1.6.27 (Cattle and Kubernetes users) and v2.0.0 - v2.2.3.

This vulnerability affects built-in node drivers having a file path option that allows machine to read arbitrary files―including sensitive ones like `/root/.kube/config`―from inside the Rancher server container. This can result in the machine creator gaining unauthorized access to the Rancher management plane.

We are currently working on providing fixes that will address both these vulnerabilities. We expect to make a Rancher release next week (week beginning Mon, June 3rd) that will include these fixes. 

Stay tuned. We will update you with a follow-up communication closer to the release.

If there are any questions, simply submit a request via this portal referencing this article and we will track and respond to your question as a Support Ticket.



Rancher Support Team

Was this article helpful?
0 out of 0 found this helpful



Article is closed for comments.