Allele Security Alert
ASA-2019-00587
Identifier(s)
ASA-2019-00587, CVE-2019-17110
Title
New feature exposing annotations as metrics can lead to information disclosure
Vendor(s)
Cloud Native Computing Foundation
Product(s)
Kubernetes kube-state-metrics
Affected version(s)
Kubernetes kube-state-metrics versions before v1.7.2
Fixed version(s)
Kubernetes kube-state-metrics version v1.7.2
Proof of concept
Unknown
Description
A security issue was discovered in kube-state-metrics 1.7.x before 1.7.2. An experimental feature was added to v1.7.0 and v1.7.1 that enabled annotations to be exposed as metrics. By default, kube-state-metrics metrics only expose metadata about Secrets. However, a combination of the default kubectl behavior and this new feature can cause the entire secret content to end up in metric labels, thus inadvertently exposing the secret content in metrics.
Technical details
Unknown
Credits
Moritz S
Reference(s)
Release v1.7.2 / 2019-08-05 · kubernetes/kube-state-metrics · GitHub
https://github.com/kubernetes/kube-state-metrics/releases/tag/v1.7.2
Filter annotation “annotation_kubectl_kubernetes_io_last_applied_configuration” #854
https://github.com/kubernetes/kube-state-metrics/issues/854
Revert “add kube_*_annotations metrics for all objects” #859
https://github.com/kubernetes/kube-state-metrics/pull/859
add kube_*_annotations metrics for all objects
https://github.com/kubernetes/kube-state-metrics/commit/5ae00bb93fb6c224324d02d8b57c1fb1147948c9
CVE-2019-17110
https://security-tracker.debian.org/tracker/CVE-2019-17110
CVE-2019-17110 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2019-17110
CVE-2019-17110
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17110
CVE-2019-17110
https://nvd.nist.gov/vuln/detail/CVE-2019-17110
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: October 23, 2019