Rancher Security Advisory: CVE-2020-8551 and CVE-2020-8552 reported by Kubernetes

Follow
Table of Contents

Dear Rancher User,

Kubernetes recently announced patch versions to address the following two medium-rated vulnerabilities:

  • CVE-2020-8551: "The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP read-only API typically served on port 10255, and the authenticated HTTPS API typically served on port 10250."
  • CVE-2020-8552: "The Kubernetes API server component in versions prior to 1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via successful API requests."

For more details on the announcements, see:

Kubernetes versions that address the above two vulnerabilities are:

  • v1.17.3
  • v1.16.7
  • v1.15.10

This communication is to let you know of the Rancher releases that were also made available recently to enable you to move to one of the above Kubernetes versions or higher. The new Rancher releases are:

  • Rancher v2.4.2: release comes with the latest Kubernetes versions - v1.17.4 (default), v1.16.8, v1.15.11 - for clusters launched by Rancher. To address Kubernetes CVE-2020-8551 and CVE-2020-8552, we recommend upgrading your Kubernetes clusters to one of these versions.
  • Rancher v2.3.6: release comes with the latest Kubernetes versions - v1.17.4 (default), v1.16.8, v1.15.11 - for clusters launched by Rancher. To address Kubernetes CVE-2020-8551 and CVE-2020-8552, we recommend upgrading your Kubernetes clusters to one of these versions.  Note: if your Rancher installation is not air-gapped and on a version v2.3.3 or higher, an upgrade to Rancher v2.3.6 is not necessary. Merely upgrading your downstream cluster(s) to one of the Kubernetes versions listed here should be possible and a Rancher-supported option.
  • Rancher v2.2.11: release comes with the latest Kubernetes versions - v1.15.11 (default), v1.14.10, v1.13.12 - for clusters launched by Rancher. To address Kubernetes CVE-2020-8551 and CVE-2020-8552, we recommend upgrading your Kubernetes clusters to v1.15.11.
  • RKE v1.1.0: release comes with support for v1.17.4 (default), v1.16.8 and v1.15.11, and can be used to upgrade the RKE cluster that the Rancher control plane is installed on, as well as upgrade any customer clusters that were built using RKE.

Note:

  • Users of Rancher v1.6.x are not impacted by this communication.  Kubernetes v1.12.7 is the highest version that is supported in the Rancher v1.6.x.
  • Users of Rancher v2.0.x and v2.1.x, the Kubernetes CVEs have been patched in versions v1.17.x, v1.16.x and v1.15.x only.  These are Kubernetes versions not supported by Rancher v2.0.x and v2.1.x

If there are any questions, simply submit a request via this portal referencing this article and we will track and respond to your question as a Support Ticket.

Thanks
Rancher Support Team

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.