ASA-2019-00494 – Kubernetes: /debug/pprof exposed on kubelet’s healthz port

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00494

Identifier(s)

ASA-2019-00494, CVE-2019-11248

Title

/debug/pprof exposed on kubelet’s healthz port

Vendor(s)

Cloud Native Computing Foundation

Product(s)

Kubernetes

Affected version(s)

Kubernetes versions before 1.15.0
Kubernetes versions before 1.14.4
Kubernetes versions before 1.13.8
Kubernetes versions before 1.12.10

Fixed version(s)

Kubernetes version 1.15
Kubernetes version 1.14
Kubernetes version 1.13

Proof of concept

Unknown

Description

The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port. The issue is of medium severity, but only exposed locally by the default configuration.

Technical details

The go pprof endpoint is exposed over the Kubelet’s healthz port. This debugging endpoint can potentially leak sensitive information such as internal Kubelet memory addresses and configuration, or for limited denial of service.

Credits

Jordan Zebor (F5 Networks)

Reference(s)

CVE-2019-11248: /debug/pprof exposed on kubelet’s healthz port #81023
https://github.com/kubernetes/kubernetes/issues/81023

[ANNOUNCE] CVE-2019-11248: /debug/pprof exposed on kubelet’s healthz port
https://groups.google.com/forum/#!topic/kubernetes-security-announce/pKELclHIov8

Automated cherry pick of #78313: Avoid the default server mux #79184
https://github.com/kubernetes/kubernetes/pull/79184

Automated cherry pick of #78313: Avoid the default server mux #79183
https://github.com/kubernetes/kubernetes/pull/79183

Automated cherry pick of #78313: Avoid the default server mux #79182
https://github.com/kubernetes/kubernetes/pull/79182

CVE-2019-11248: /debug/pprof exposed on kubelet’s healthz port #78313
https://github.com/kubernetes/kubernetes/pull/78313

Package pprof
https://golang.org/pkg/net/http/pprof/

CVE-2019-11248
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11248

CVE-2019-11248
https://nvd.nist.gov/vuln/detail/CVE-2019-11248

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: August 29, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.