September 19, 2019
This advisory was first communicated by email, on the date mentioned above, to all Rancher customers with a then active support subscription.
Dear Rancher 2.x User,
In case you missed it, Kubernetes Product Security Committee made the following announcement yesterday.
Subject: [ANNOUNCE] Security release of kubectl versions v1.16.0 / 1.15.4 / 1.14.7 and 1.13.11 - CVE-2019-11251
Hello Kubernetes Community,
A security issue was discovered in kubectl versions v1.13.10, v1.14.6, and v1.15.3. The issue is of a medium severity and upgrading of kubectl is encouraged to fix the vulnerability.
Am I vulnerable?
Run `kubectl version --client` and if it returns versions v1.13.10, v1.14.6, and v1.15.3, you are running a vulnerable version.
How do I upgrade?
Follow installation instructions here https://kubernetes.io/docs/tasks/tools/install-kubectl/
Not all instructions will provide up-to-date kubectl versions at the time of this announcement. So, always confirm with `kubectl version --client`.
The details for this vulnerability are very similar to CVE-2019-1002101 and CVE-2019-11246.
A vulnerability has been discovered in `kubectl cp` that allows a combination of two symlinks to copy a file outside of its destination directory. This could be used to allow an attacker to place a netfarious file using a symlink, outside of the destination tree.
This issue is filed as CVE-2019-11251 .
Two fixes were formulated, one fix to remove symlink support going forwards and a fix with cherry picks made to ensure backwards compatibility.
See https://github.com/kubernetes/kubernetes/pull/82143 for main fix in v1.16.0 which removes the support of symlinks in kubectl cp. After version 1.16.0, symlink support with `kubectl cp` is removed, it is recommended instead to use a combination of exec+tar.
A second fix has been made to 1.15.4 and backported to 1.14.7 and 1.13.11. This changes the` kubectl cp` un-tar symlink logic, by unpacking the symlinks after all the regular files have been unpacked. This then guarantees that a file can't be written through a symlink.
See https://github.com/kubernetes/kubernetes/pull/82384 for the fix to version 1.15.4. The following Cherry picks were made from this fix to earlier versions of v1.14.7 and v1.13.11:
See https://github.com/kubernetes/kubernetes/pull/82502 for version 1.14.7
See https://github.com/kubernetes/kubernetes/pull/82503 for version 1.13.11
Thank you to Erik Sjölund for discovering this issue, Tim Allclair and Maciej Szulik for both fixes and the patch release managers for including the fix in their releases.
Luke Hinds on behalf of the Kubernetes Product Security Committee
Upon completing its own analysis of this CVE announcement, the Rancher team has concluded that there is no need for immediate 2.1.x and 2.2.x releases to patch kubectl used in Rancher UI.
The upstream CVE affects kubectl cp command when copying a file from a container to a host that allows a combination of two symlinks to copy a file outside of its destination directory on the host. This scenario has been deemed as not relevant to the kubectl exposed in Rancher UI where every kubectl session only starts an ephemeral (non persistent) data store that goes away when the session is closed.
That said, the Rancher team does recommend its 2.x users to upgrade their local versions of kubectl, a task that however falls outside the scope of Rancher product releases and support.
Rancher plans to upgrade the version of kubectl exposed in Rancher UI in its first maintenance releases for the next calendar quarter. Stay tuned. We will update you with a follow up communication closer to these releases.
If there are any questions, simply submit a request via this portal referencing this article and we will track and respond to your question as a Support Ticket.
Rancher Support Team