Allele Security Alert
ASA-2019-00495
Identifier(s)
ASA-2019-00495, CVE-2019-10223
Title
Secret content disclosure in metrics
Vendor(s)
Cloud Native Computing Foundation
Product(s)
Kubernetes kube-state-metrics
Affected version(s)
Kubernetes kube-state-metrics versions v1.7.0 and v1.7.1
Fixed version(s)
Kubernetes kube-state-metrics version v1.7.2
Proof of concept
Unknown
Description
An experimental feature was added to the v1.7.0 release that enabled annotations to be exposed as metrics. By default, the kube-state-metrics metrics only expose metadata about Secrets. However, a combination of the default `kubectl` behavior and this new feature can cause the entire secret content to end up in metric labels thus inadvertently exposing the secret content in metrics.
Technical details
Unknown
Workaround
If you are unable to upgrade to the latest version of kube-state-metrics, you can filter out all of the annotation metrics by passing the following flag to kube-state-metrics
:
--metric-blacklist="kube_.*_annotations"
Credits
Moritz S.
Reference(s)
[ANNOUNCE] Security release of kube-state-metrics v1.7.2
https://www.openwall.com/lists/oss-security/2019/08/09/1
coreos / kube-state-metrics
https://quay.io/coreos/kube-state-metrics:v1.7.2
Release v1.7.2 / 2019-08-05 · kubernetes/kube-state-metrics
https://github.com/kubernetes/kube-state-metrics/releases/tag/v1.7.2
add kube_*_annotations metrics for all objects
https://github.com/kubernetes/kube-state-metrics/commit/5ae00bb93fb6c224324d02d8b57c1fb1147948c9
Revert “add kube_*_annotations metrics for all objects”
https://github.com/kubernetes/kube-state-metrics/commit/03122fe3e2df49a9a7298b8af921d3c37c430f7f
Remove kube_namespace_annotations metric
https://github.com/kubernetes/kube-state-metrics/commit/2a9ab3a9a0f1c4dbecb6a5577185b33bfac86a96
*: cut v1.7.2 release
https://github.com/kubernetes/kube-state-metrics/commit/9128aca36c9506d73f76c3e726eaac1ac5d27ef5
CVE-2019-10223
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10223
CVE-2019-10223
https://nvd.nist.gov/vuln/detail/CVE-2019-10223
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: October 23, 2019