Rancher Security Advisory: CVE-2020-8563, 8564, 8565, 8566 reported by Kubernetes

Follow
Table of Contents

Dear Rancher Customer,

Kubernetes has released patch versions this week to address the following four medium-rated vulnerabilities:

  • CVE-2020-8563: Secret leaks in logs for vSphere Provider kube-controller-manager
  • CVE-2020-8564: Docker config secrets leaked when file is malformed and loglevel >= 4
  • CVE-2020-8565: Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9
  • CVE-2020-8566: Ceph RBD adminSecrets exposed in logs when loglevel >= 4

To see if your clusters are vulnerable, please go through the CVE posts in the kubernetes-security-announce forum and the information below in this advisory post.

Am I vulnerable?

If sufficient verbose logging is enabled for the listed components, the following secrets can be exposed in logs. By default, none of these components have logging levels enabled >=4, so you are vulnerable if you have increased the log levels for any of these components to be greater than what is on the chart.

CVE Component Log Level Exposed Secret Affected K8S Version Fixed K8S Version
CVE-2020-8563 kube-controller-manager >=4 vSphere Cloud credentials when using VSphere as a cloud provider 1.19.0-1.19.2 1.19.3
CVE-2020-8564 kube-controller-manager >=4 Ceph RBD Admin secrets

1.19.0-1.19.2

1.18.0-1.18.9

1.17.0-1.17.12

Anything < k8s 1.17

1.19.3

1.18.10

1.17.13

CVE-2020-8565 Docker Config File >=4 Pull secrets or other credentials in docker config file as well as a malformed docker config file

1.19.0-1.19.2

1.18.0-1.18.9

1.17.0-1.17.12

Anything < k8s 1.17

1.20.0-alpha2

1.19.3

1.18.10

1.17.13

CVE-2020-8566 kube-api-server >=9 Kubernetes authorization tokens (incl. bearer tokens and basic auth)

1.19.0-1.19.2

1.18.0-1.18.9

1.17.0-1.17.12

Anything < k8s 1.17

Not Available

How do I detect it?

Logs can be searched for any secret values that have already been exposed. The individual pull requests for each vulnerability contain details on the particular log entries that can include secret values:

How do I mitigate these vulnerabilities?

All four vulnerabilities are only exposed when verbose logging levels are enabled for the respective component, which is not done by default. These vulnerabilities can all therefore be mitigated by ensuring that the log level is below 4.

All four vulnerabilities can additionally be mitigated by preventing untrusted access to log files. An attacker can only recover the sensitive information exposed by these vulnerabilities if they can access the target logs.

If any exposed secrets are found in log files, it is recommended to rotate them as soon as possible. Exposure can occur in Kubernetes server-side components, including kube-apiserver and kube-contoller-manager. Client tools using the affected code, like kubectl, can also log secret data.

Updated Kubernetes Versions

Rancher has released the following Kubernetes version updates, which are available as metadata updates for the following Rancher versions. If you are unable to update your log level, we recommend updating to these versions of Rancher and upgrade to the latest Kubernetes versions.

For RKE

Updated K8S Versions for RKE Rancher Version New RKE CLI

1.19.3

1.18.10

1.17.13

Rancher v2.5.0+ v1.2.1

1.18.10

1.17.13

Rancher v2.4.5+ v1.1.10
1.17.13 Rancher v2.3.8+ v1.0.13

For K3S

Updated K8S Versions for K3S Rancher Version

v1.19.3+k3s1

v1.18.10+k3s1

v1.17.13+k3s1

Rancher v2.5.0+

v1.17.13+k3s1

Rancher v2.4.0+
v1.18.10+k3s1 Rancher v2.4.5+

For RKE2

Updated K8S Versions for RKE2 Rancher Version

v1.18.10+rke2r1

Rancher v2.5.0+

If there are any questions, simply submit a request via this portal referencing this article and we will track and respond to your question as a Support Ticket.

Thanks,
Rancher Support Team

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.