First published: Mon Aug 12 2019(Updated: )
Kubernetes requires an authentication mechanism to enforce users’ privileges. One method of authentication, bearer tokens, are opaque strings used to associate a user with their having successfully authenticated previously. Any user with possession of this token may masquerade as the original user (the “bearer”) without further authentication. Within Kubernetes, the bearer token is captured within the hyperkube kube-apiserver system logs at high verbosity levels (--v 10). A malicious user with access to the system logs on such a system could masquerade as any user who has previously logged into the system.
Credit: jordan@liggitt.net jordan@liggitt.net
Affected Software | Affected Version | How to fix |
---|---|---|
go/k8s.io/kubernetes | <1.16.0-beta.1 | 1.16.0-beta.1 |
go/k8s.io/client-go | <0.17.0 | 0.17.0 |
redhat/atomic-openshift | <0:3.11.157-1.git.0.dfe38da.el7 | 0:3.11.157-1.git.0.dfe38da.el7 |
redhat/openshift | <0:4.1.27-201912021146.git.0.a40116f.el7 | 0:4.1.27-201912021146.git.0.a40116f.el7 |
Kubernetes Kubernetes | <1.15.3 | |
Kubernetes Kubernetes | =1.15.3 | |
Kubernetes Kubernetes | =1.15.4-beta0 | |
Kubernetes Kubernetes | =1.16.0-alpha1 | |
Kubernetes Kubernetes | =1.16.0-alpha2 | |
Kubernetes Kubernetes | =1.16.0-alpha3 | |
Kubernetes Kubernetes | =1.16.0-beta1 | |
Kubernetes Kubernetes | =1.16.0-beta2 | |
Redhat Openshift Container Platform | =3.11 | |
Redhat Openshift Container Platform | =4.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2019-11250 is medium (6.5).
Unauthorized users can access credentials in CVE-2019-11250 through logs or command output.
Kubernetes components (such as kube-apiserver) prior to v1.16.0 are affected by CVE-2019-11250.
To fix CVE-2019-11250, you need to upgrade Kubernetes components to v1.16.0 or higher.
You can find more information about CVE-2019-11250 at the following references: [NVD](https://nvd.nist.gov/vuln/detail/CVE-2019-11250), [GitHub](https://github.com/kubernetes/kubernetes/issues/81114), and [Red Hat Advisory](https://access.redhat.com/errata/RHSA-2019:4052).