[Vulnerability Warning] Notification on Vulnerabilities Relevant to Kubernetes

2019-04-08 16:35:37
Dear user

JD Cloud security team recently monitored JCS for Kubernetes was disclosed to have multiple vulnerabilities.

JD Cloud security team recommends that you conduct the security self-examination in a timely manner. If your business is in the influence range, please update and fix the problem in time to avoid attacks from an external attacker.

Vulnerability Description

l CVE-2019-1002100: Malicious users with patch permissions send specific overlong “json-patch” patch requests (such as kubectl patch -type json or "Content-Type: application/json-patch+json"), which will cause denial of service due to exhaustion of CPU resources of Kubernetes API servers.

l CVE-2019-1002101: For Security Vulnerability exists regarding kubectl cp command, the attacker can use kubectl cp command to replace or delete the file on the user work station, and write in a malicious file on any path on the user’s computer.

l CVE-2019-9946: For Security Vulnerability in Kubernetes CNI frame, security problems are found during the interaction of CNI plug-in port mapping and Kubernetes below Version 0.7.5. Because the CNI port mapping plug-in is embedded into the Kubernetes component by default, only an upgrade to a new version of Kubernetes can solve this problem.

Risk Level

High Risk

Influence Range

CVE-2019-1002100: Kubernetes v1.0.x-1.10.x, Kubernetes v1.11.0-1.11.7, Kubernetes v1.12.0-1.12.5, Kubernetes v1.13.0-1.13.3

CVE-2019-1002101: Versions other than Kubernetes 1.11.9, 1.12.7, 1.13.5, 1.14.0 or update version

CVE-2019-9946 : Versions other than Kubernetes 1.11.9, 1.12.7, 1.13.5, 1.14.0 or update version, and Kubernetes is paired with CNI configuration used with port mapping plug-in

Security Recommendations

Upgrade JCS for Kubernetes to a security version.

Reference Link

1.https://github.com/kubernetes/kubernetes/issues/74534

2.https://discuss.kubernetes.io/t/announce-security-release-of-kubernetes-kubectl-potential-directory-traversal-releases-1-11- 9-1-12-7- 1-13-5-and-1-14-0-cve-2019-1002101/5712

3. https://mp.weixin.qq.com/s/JIxSKbVTZn1v2kqgRPCljg

JD Cloud team

2019-04-08 16:35:37