Allele Security Alert
ASA-2019-00492
Identifier(s)
ASA-2019-00492, CVE-2019-11247
Title
API server allows access to custom resources via wrong scope
Vendor(s)
Cloud Native Computing Foundation
Product(s)
Kubernetes
Affected version(s)
Kubernetes versions before v1.13.9
Kubernetes versions before v1.14.5
Kubernetes versions before v1.15.2
Fixed version(s)
Kubernetes version v1.13.9
Kubernetes version v1.14.5
Kubernetes version v1.15.2
Proof of concept
Unknown
Description
This vulnerability allows access to a cluster-scoped custom resource if the request is made as if the resource were namespaced. Authorizations for the resource accessed in this manner are enforced using roles and role bindings within the namespace, meaning that a user with access only to a resource in one namespace could create, view update or delete the cluster-scoped resource (according to their namespace role privileges).
Technical details
Unknown
Credits
Prabu Shyam (Verizon Media)
Reference(s)
Kubernetes v1.13.9, v1.14.5, v1.15.2 released to address CVE-2019-11247, CVE-2019-11249
https://www.openwall.com/lists/oss-security/2019/08/05/5
v1.13.9, v1.14.5, v1.15.2 released to address CVE-2019-11247, CVE-2019-11249
https://groups.google.com/forum/#!topic/kubernetes-security-announce/vUtEcSEY6SM
CVE-2019-11247: API server allows access to custom resources via wrong scope #80983
https://github.com/kubernetes/kubernetes/issues/80983
CHANGELOG-1.13.md
https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.13.md
CHANGELOG-1.14.md
https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.14.md
CHANGELOG-1.15.md
https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.15.md
CVE-2019-11247
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11247
CVE-2019-11247
https://nvd.nist.gov/vuln/detail/CVE-2019-11247
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: August 29, 2019