[ANNOUNCE] Security release of kubectl versions v1.16.0 / 1.15.4 / 1.14.7 and 1.13.11 - CVE-2019-11251

Hello Kubernetes Community,

A security issue was discovered in kubectl versions v1.13.10, v1.14.6, and v1.15.3. The issue is of a medium severity and upgrading of kubectl is encouraged to fix the vulnerability.

Am I vulnerable?

Run kubectl version --client and if it returns versions v1.13.10, v1.14.6, and v1.15.3, you are running a vulnerable version.

How do I upgrade?

Follow installation instructions here Install and Set Up kubectl - Kubernetes

Not all instructions will provide up-to-date kubectl versions at the time of this announcement. So, always confirm with kubectl version --client.

Vulnerability Details

The details for this vulnerability are very similar to CVE-2019-1002101 and CVE-2019-11246.
A vulnerability has been discovered in kubectl cp that allows a combination of two symlinks to copy a file outside of its destination directory. This could be used to allow an attacker to place a netfarious file using a symlink, outside of the destination tree.

This issue is filed as CVE-2019-11251 .

Two fixes were formulated, one fix to remove symlink support going forwards and a fix with cherry picks made to ensure backwards compatibility.

See https://github.com/kubernetes/kubernetes/pull/82143 for main fix in v1.16.0 which removes the support of symlinks in kubectl cp. After version 1.16.0, symlink support with kubectl cp is removed, it is recommended instead to use a combination of exec+tar.

A second fix has been made to 1.15.4 and backported to 1.14.7 and 1.13.11. This changes thekubectl cp un-tar symlink logic, by unpacking the symlinks after all the regular files have been unpacked. This then guarantees that a file can’t be written through a symlink.

See https://github.com/kubernetes/kubernetes/pull/82384 for the fix to version 1.15.4. The following Cherry picks were made from this fix to earlier versions of v1.14.7 and v1.13.11:

See https://github.com/kubernetes/kubernetes/pull/82502 for version 1.14.7
See https://github.com/kubernetes/kubernetes/pull/82503 for version 1.13.11

Thank you to Erik Sjölund for discovering this issue, Tim Allclair and Maciej Szulik for both fixes and the patch release managers for including the fix in their releases.

Thank You,

Luke Hinds on behalf of the Kubernetes Product Security Committee

3 Likes