October 16, 2019
This advisory was first communicated by email, on the date mentioned above, to all Rancher customers with a then active support subscription.
Dear Rancher 2.x User,
This week Kubernetes has released patch versions to address the following two vulnerabilities:
- CVE-2019-11253 is a denial of service vulnerability in the kube-apiserver, allowing authorized users sending malicious YAML or JSON payloads to cause kube-apiserver to consume excessive CPU or memory, potentially crashing and becoming unavailable.
- CVE-2019-16276 in Go's net/http library causes invalid headers to be normalized and interpreted as valid by an HTTP server. If a reverse proxy in front of a Go HTTP server allows and forwards but doesn't normalize invalid headers, the Go server could interpret those headers differently than the reverse proxy.
Kubernetes versions that address the above vulnerabilities are:
This email is to let you know of the Rancher releases that we just made available today to enable you to move to one of the above Kubernetes versions. . The new Rancher releases are:
Rancher v2.3.1: release comes with the latest Kubernetes versions - v1.13.12, v1.14.8, v1.15.5 (default), v1.16.2 (experimental) - for clusters launched by Rancher. To address the reported vulnerabilities, we recommend upgrading your Kubernetes clusters to one of these versions.
Rancher v2.2.9: release comes with the latest Kubernetes versions - v1.13.12, v1.14.8, v1.15.5 (default) - for clusters launched by Rancher. To address the reported vulnerabilities, we recommend upgrading your Kubernetes clusters to one of these versions.
The Rancher Support Matrix will be updated this week with entries for Rancher v2.3.1 and v2.2.9 respectively.
If you are a user of one of the older versions of Rancher, please note the following:
Users of Rancher v2.1.x
The Kubernetes CVEs have been patched in versions v1.13.x, v1.14.x, v1.15.x, and v1.16.x only. Only Kubernetes v1.13.x is supported by Rancher v2.1.x.
As communicated in our June '19 advisory, Rancher v2.1.x is currently in the EOM to EOL support phase of its product lifecycle, as described in our terms of service page. Therefore, there isn't a plan to ship a 2.1.x patch release to address the Rancher vulnerabilities. Should you have an exceptional scenario that necessitates a v2.1.x patch for this vulnerability, please contact support.
Users of Rancher v2.0.x
As communicated in our June '19 advisory and posted on the Rancher Support page, v2.0.x is reaching EOL on November 1, 2019. Users are recommended to upgrade to a higher / active version of Rancher 2.x.
Users of Rancher v1.6.x
There is no impact by this communication. Kubernetes v1.12.10 is the highest version that is supported in the Rancher v1.6.x.
If there are any questions, simply submit a request via this portal referencing this article and we will track and respond to your question as a Support Ticket.
Rancher Support Team