Upgrade to Kubernetes 1.11.9 [CVE-2019-1002100, CVE-2019-9946, CVE-2019-3874, CVE-2019-1002101]

We are in the process of upgrading our managed Kubernetes clusters from v1.11.6 to v1.11.9.

Next to some general bugfixes and improvements, which you can find full details in the Kubernetes changelog, this rollout comes with several high and medium priority security fixes.

CVE-2019-1002101 - Action to take!

Fix is included in kubectl 1.11.9, 1.12.7, 1.13.5 and 1.14.0.

Kubernetes security announcement

A security issue was discovered with the Kubernetes kubectl cp command that could enable a directory traversal replacing or deleting files on a user’s workstation.

This is considered a High severity issue and you should upgrade your kubectl binary to the latest version!. Check out the install instructions.

CVE-2019-1002100

Fix is included in Kubernetes 1.11.8.

Kubernetes security announcement

A denial of service vulnerability was found in the Kubernetes API Server. A remote user, with authorization to apply patches, could exploit this via crafted JSON input, causing excessive consumption of resources and subsequent denial of service.

CVE-2019-3874

We have updated our base K8s AMIs to blacklist this esoteric, unused kernel module.

Kubernetes security announcement

The SCTP socket buffer used by a userspace application is not accounted by the cgroups subsystem. An attacker can use this flaw to cause a denial of service attack. Kernel 3.10.x and 4.18.x branches are believed to be vulnerable.

CVE-2019-9946

Fix is included in Kubernetes 1.11.9.

Kubernetes security announcement

A security issue was discovered with interactions between the CNI (Container Networking Interface) portmap plugin versions prior to 0.7.5 and Kubernetes.

The ‘portmap’ plugin, used to setup HostPorts for CNI, would insert rules at the front of the iptables nat chains; which would take precedence over the KUBE-SERVICES chain. Because of this, the HostPort/portmap rule could match incoming traffic even if there were better fitting, more specific service definition rules like NodePorts later in the chain.

Switching the portmap plugin to append its rules, rather than prepend, allows traffic to be processed by KUBE-SERVICES rules first. Only if traffic does not match a service will it be considered for HostPorts. This is compatible with the behavior of the legacy ‘kubenet’ network driver.