Dear Rancher Customer,
Kubernetes has released patch versions this week to address the following four medium-rated vulnerabilities:
- CVE-2020-8563: Secret leaks in logs for vSphere Provider kube-controller-manager
- CVE-2020-8564: Docker config secrets leaked when file is malformed and loglevel >= 4
- CVE-2020-8565: Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9
- CVE-2020-8566: Ceph RBD adminSecrets exposed in logs when loglevel >= 4
To see if your clusters are vulnerable, please go through the CVE posts in the kubernetes-security-announce forum and the information below in this advisory post.
Am I vulnerable?
If sufficient verbose logging is enabled for the listed components, the following secrets can be exposed in logs. By default, none of these components have logging levels enabled >=4, so you are vulnerable if you have increased the log levels for any of these components to be greater than what is on the chart.
| CVE | Component | Log Level | Exposed Secret | Affected K8S Version | Fixed K8S Version |
| CVE-2020-8563 | kube-controller-manager | >=4 | vSphere Cloud credentials when using VSphere as a cloud provider | 1.19.0-1.19.2 | 1.19.3 |
| CVE-2020-8564 | kube-controller-manager | >=4 | Ceph RBD Admin secrets |
1.19.0-1.19.2 1.18.0-1.18.9 1.17.0-1.17.12 Anything < k8s 1.17 |
1.19.3 1.18.10 1.17.13 |
| CVE-2020-8565 | Docker Config File | >=4 | Pull secrets or other credentials in docker config file as well as a malformed docker config file |
1.19.0-1.19.2 1.18.0-1.18.9 1.17.0-1.17.12 Anything < k8s 1.17 |
1.20.0-alpha2
|
| CVE-2020-8566 | kube-api-server | >=9 | Kubernetes authorization tokens (incl. bearer tokens and basic auth) |
1.19.0-1.19.2 1.18.0-1.18.9 1.17.0-1.17.12 Anything < k8s 1.17 |
Not Available |
How do I detect it?
Logs can be searched for any secret values that have already been exposed. The individual pull requests for each vulnerability contain details on the particular log entries that can include secret values:
- CVE-2020-8563 - https://github.com/kubernetes/kubernetes/pull/95236
- CVE-2020-8564 - https://github.com/kubernetes/kubernetes/pull/94712
- CVE-2020-8565 - https://github.com/kubernetes/kubernetes/pull/95316
- CVE-2020-8566 - https://github.com/kubernetes/kubernetes/pull/95245
How do I mitigate these vulnerabilities?
All four vulnerabilities are only exposed when verbose logging levels are enabled for the respective component, which is not done by default. These vulnerabilities can all therefore be mitigated by ensuring that the log level is below 4.
All four vulnerabilities can additionally be mitigated by preventing untrusted access to log files. An attacker can only recover the sensitive information exposed by these vulnerabilities if they can access the target logs.
If any exposed secrets are found in log files, it is recommended to rotate them as soon as possible. Exposure can occur in Kubernetes server-side components, including kube-apiserver and kube-contoller-manager. Client tools using the affected code, like kubectl, can also log secret data.
Updated Kubernetes Versions
Rancher has released the following Kubernetes version updates, which are available as metadata updates for the following Rancher versions. If you are unable to update your log level, we recommend updating to these versions of Rancher and upgrade to the latest Kubernetes versions.
For RKE
| Updated K8S Versions for RKE | Rancher Version | New RKE CLI |
|
1.19.3 1.18.10 1.17.13 |
Rancher v2.5.0+ | v1.2.1 |
|
1.18.10 1.17.13 |
Rancher v2.4.5+ | v1.1.10 |
| 1.17.13 | Rancher v2.3.8+ | v1.0.13 |
For K3S
| Updated K8S Versions for K3S | Rancher Version |
|
v1.19.3+k3s1 v1.18.10+k3s1 v1.17.13+k3s1 |
Rancher v2.5.0+ |
|
v1.17.13+k3s1 |
Rancher v2.4.0+ |
| v1.18.10+k3s1 | Rancher v2.4.5+ |
For RKE2
| Updated K8S Versions for RKE2 | Rancher Version |
|
v1.18.10+rke2r1 |
Rancher v2.5.0+ |
If there are any questions, simply submit a request via this portal referencing this article and we will track and respond to your question as a Support Ticket.
Thanks,
Rancher Support Team
Comments
Article is closed for comments.