ASA-2019-00495 – Kubernetes kube-state-metrics: Secret content disclosure in metrics


Allele Security Alert

ASA-2019-00495

Identifier(s)

ASA-2019-00495, CVE-2019-10223

Title

Secret content disclosure in metrics

Vendor(s)

Cloud Native Computing Foundation

Product(s)

Kubernetes kube-state-metrics

Affected version(s)

Kubernetes kube-state-metrics versions v1.7.0 and v1.7.1

Fixed version(s)

Kubernetes kube-state-metrics version v1.7.2

Proof of concept

Unknown

Description

An experimental feature was added to the v1.7.0 release that enabled annotations to be exposed as metrics. By default, the kube-state-metrics metrics only expose metadata about Secrets. However, a combination of the default `kubectl` behavior and this new feature can cause the entire secret content to end up in metric labels thus inadvertently exposing the secret content in metrics.

Technical details

Unknown

Workaround

If you are unable to upgrade to the latest version of kube-state-metrics, you can filter out all of the annotation metrics by passing the following flag to kube-state-metrics:

--metric-blacklist="kube_.*_annotations"

Credits

Moritz S.

Reference(s)

[ANNOUNCE] Security release of kube-state-metrics v1.7.2
https://www.openwall.com/lists/oss-security/2019/08/09/1

coreos / kube-state-metrics
https://quay.io/coreos/kube-state-metrics:v1.7.2

Release v1.7.2 / 2019-08-05 · kubernetes/kube-state-metrics
https://github.com/kubernetes/kube-state-metrics/releases/tag/v1.7.2

add kube_*_annotations metrics for all objects
https://github.com/kubernetes/kube-state-metrics/commit/5ae00bb93fb6c224324d02d8b57c1fb1147948c9

Revert “add kube_*_annotations metrics for all objects”
https://github.com/kubernetes/kube-state-metrics/commit/03122fe3e2df49a9a7298b8af921d3c37c430f7f

Remove kube_namespace_annotations metric
https://github.com/kubernetes/kube-state-metrics/commit/2a9ab3a9a0f1c4dbecb6a5577185b33bfac86a96

*: cut v1.7.2 release
https://github.com/kubernetes/kube-state-metrics/commit/9128aca36c9506d73f76c3e726eaac1ac5d27ef5

CVE-2019-10223
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10223

CVE-2019-10223
https://nvd.nist.gov/vuln/detail/CVE-2019-10223

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: October 23, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.