CVE-2019-11247: Kubernetes kube-apiserver allows access to custom resources via wrong scope
First published: Tue Jul 23 2019(Updated: )
The Kubernetes kube-apiserver mistakenly allows access to a cluster-scoped custom resource if the request is made as if the resource were namespaced. Authorizations for the resource accessed in this manner are enforced using roles and role bindings within the namespace, meaning that a user with access only to a resource in one namespace could create, view update or delete the cluster-scoped resource (according to their namespace role privileges). Kubernetes affected versions include versions prior to 1.13.9, versions prior to 1.14.5, versions prior to 1.15.2, and versions 1.7, 1.8, 1.9, 1.10, 1.11, 1.12.
Credit: jordan@liggitt.net jordan@liggitt.net
| Affected Software | Affected Version | How to fix |
|---|---|---|
| go/k8s.io/apiextensions-apiserver | >=0.15.0<0.15.2 | 0.15.2 |
| go/k8s.io/apiextensions-apiserver | >=0.14.0<0.14.5 | 0.14.5 |
| go/k8s.io/apiextensions-apiserver | >=0.7.0<0.13.9 | 0.13.9 |
| redhat/kubernetes | <1.13.9 | 1.13.9 |
| redhat/kubernetes | <1.14.5 | 1.14.5 |
| redhat/kubernetes | <1.15.2 | 1.15.2 |
| redhat/kubernetes | <1.16.0 | 1.16.0 |
| redhat/atomic-openshift | <0:3.10.170-1.git.0.8e592d6.el7 | 0:3.10.170-1.git.0.8e592d6.el7 |
| redhat/ansible-service-broker | <1:1.3.23-2.el7 | 1:1.3.23-2.el7 |
| redhat/ansible-service-broker | <0:1.1.20-2.el7 | 0:1.1.20-2.el7 |
| redhat/atomic-openshift | <0:3.9.101-1.git.0.150f595.el7 | 0:3.9.101-1.git.0.150f595.el7 |
| redhat/atomic-openshift-descheduler | <0:3.9.13-2.git.267.bb59a3f.el7 | 0:3.9.13-2.git.267.bb59a3f.el7 |
| redhat/atomic-openshift-dockerregistry | <0:3.9.101-1.git.1.13625cf.el7 | 0:3.9.101-1.git.1.13625cf.el7 |
| redhat/atomic-openshift-node-problem-detector | <0:3.9.13-2.git.167.5d6b0d4.el7 | 0:3.9.13-2.git.167.5d6b0d4.el7 |
| redhat/atomic-openshift-web-console | <0:3.9.101-1.git.1.601c6d2.el7 | 0:3.9.101-1.git.1.601c6d2.el7 |
| redhat/cockpit | <0:195-2.rhaos.el7 | 0:195-2.rhaos.el7 |
| redhat/containernetworking-plugins | <0:0.5.2-6.el7 | 0:0.5.2-6.el7 |
| redhat/cri-o | <0:1.9.16-3.git858756d.el7 | 0:1.9.16-3.git858756d.el7 |
| redhat/cri-tools | <0:1.0.0-6.rhaos3.9.git8e6013a.el7 | 0:1.0.0-6.rhaos3.9.git8e6013a.el7 |
| redhat/golang-github-openshift-oauth-proxy | <0:2.1-3.git885c9f40.el7 | 0:2.1-3.git885c9f40.el7 |
| redhat/golang-github-openshift-prometheus-alert-buffer | <0:0-3.gitceca8c1.el7 | 0:0-3.gitceca8c1.el7 |
| redhat/golang-github-prometheus-alertmanager | <0:0.14.0-2.git30af4d0.el7 | 0:0.14.0-2.git30af4d0.el7 |
| redhat/golang-github-prometheus-prometheus | <0:2.2.1-2.gitbc6058c.el7 | 0:2.2.1-2.gitbc6058c.el7 |
| redhat/golang-github-prometheus-promu | <0:0-5.git85ceabc.el7 | 0:0-5.git85ceabc.el7 |
| redhat/hawkular-openshift-agent | <0:1.2.2-3.el7 | 0:1.2.2-3.el7 |
| redhat/heapster | <0:1.3.0-4.el7 | 0:1.3.0-4.el7 |
| redhat/image-inspector | <0:2.1.3-2.el7 | 0:2.1.3-2.el7 |
| redhat/openshift-enterprise-image-registry | <0:3.8.0-2.git.216.b6b90bb.el7 | 0:3.8.0-2.git.216.b6b90bb.el7 |
| redhat/openshift-eventrouter | <0:0.1-3.git5bd9251.el7 | 0:0.1-3.git5bd9251.el7 |
| redhat/openshift-external-storage | <0:0.0.1-9.git78d6339.el7 | 0:0.0.1-9.git78d6339.el7 |
| redhat/openvswitch-ovn-kubernetes | <0:0.1.0-3.el7 | 0:0.1.0-3.el7 |
| redhat/openshift | <0:4.1.10-201908060758.git.0.d81afa6.el8 | 0:4.1.10-201908060758.git.0.d81afa6.el8 |
| Kubernetes Kubernetes | >=1.7.0<=1.12.10 | |
| Kubernetes Kubernetes | >=1.13.0<1.13.9 | |
| Kubernetes Kubernetes | >=1.14.0<1.14.5 | |
| Kubernetes Kubernetes | >=1.15.0<1.15.2 | |
| Kubernetes Kubernetes | =1.12.11-beta0 | |
| Redhat Openshift Container Platform | =3.9 | |
| Redhat Openshift Container Platform | =3.10 | |
| Redhat Openshift Container Platform | =3.11 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2019-11247
- https://github.com/kubernetes/kubernetes/issues/80983
- https://access.redhat.com/errata/RHBA-2019:2816
- https://access.redhat.com/errata/RHBA-2019:2824
- https://access.redhat.com/errata/RHSA-2019:2690
- https://access.redhat.com/errata/RHSA-2019:2769
- https://groups.google.com/d/msg/kubernetes-security-announce/vUtEcSEY6SM/v2ZZxsmtFQAJ
- https://security.netapp.com/advisory/ntap-20190919-0003/
- https://github.com/kubernetes/kubernetes/pull/80750
- https://github.com/kubernetes/kubernetes/pull/80850
- https://github.com/kubernetes/kubernetes/pull/80851
- https://github.com/kubernetes/kubernetes/pull/80852
- https://github.com/kubernetes/apiextensions-apiserver/commit/b9b7d2b3f32f8edbeb47b8726710eeb868bce196
- https://github.com/advisories/GHSA-fp37-c92q-4pwq (Advisory)
- https://groups.google.com/forum/#!topic/kubernetes-security-discuss/Vf31dXp0EJc
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1737646
- https://access.redhat.com/errata/RHSA-2019:2504
- https://access.redhat.com/security/cve/cve-2019-11247
- https://bugzilla.redhat.com/show_bug.cgi?id=1732192
- https://www.cve.org/CVERecord?id=CVE-2019-11247 https://nvd.nist.gov/vuln/detail/CVE-2019-11247 https://groups.google.com/forum/#!topic/kubernetes-security-discuss/Vf31dXp0EJc
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2019-11247?
CVE-2019-11247 is a vulnerability in the Kubernetes kube-apiserver that allows access to a cluster-scoped custom resource if the request is made as if the resource were namespaced.
How severe is CVE-2019-11247?
CVE-2019-11247 has a severity rating of 8.1, which is considered high.
What software is affected by CVE-2019-11247?
Kubernetes versions between 1.7.0 and 1.12.10, 1.13.0 and 1.13.9, and 1.14.0 and 1.14.5 are affected by CVE-2019-11247, as well as Redhat Openshift Container Platform 3.9, 3.10, and 3.11.
What is the remedy for CVE-2019-11247?
To fix CVE-2019-11247, users should update to k8s.io/apiextensions-apiserver version 0.15.2, 0.14.5, or 0.13.9 depending on the affected Kubernetes version.
Where can I find more information about CVE-2019-11247?
More information about CVE-2019-11247 can be found on the CVE website (https://www.cve.org/CVERecord?id=CVE-2019-11247), NIST National Vulnerability Database (https://nvd.nist.gov/vuln/detail/CVE-2019-11247), and Redhat Bugzilla (https://bugzilla.redhat.com/show_bug.cgi?id=1732192).
- collector/github-advisory-latest
- alias/GHSA-fp37-c92q-4pwq
- alias/CVE-2019-11247
- collector/github-advisory
- collector/redhat-cve
- collector/nvd-index
- collector/nvd-cve
- agent/author
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- agent/weakness
- agent/references
- agent/severity
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/title
- agent/tags
- agent/event
- package-manager/go
- package-manager/redhat
- vendor/kubernetes
- canonical/kubernetes kubernetes
- version/kubernetes kubernetes/1.7.0
- version/kubernetes kubernetes/1.12.10
- version/kubernetes kubernetes/1.13.0
- version/kubernetes kubernetes/1.14.0
- version/kubernetes kubernetes/1.15.0
- version/kubernetes kubernetes/1.12.11-beta0
- vendor/redhat
- canonical/redhat openshift container platform
- version/redhat openshift container platform/3.9
- version/redhat openshift container platform/3.10
- version/redhat openshift container platform/3.11