CVE-2019-11243 : Security Advisory and Response

Kubernetes versions v1.12.0-v1.12.4 and v1.13.0 are affected by a vulnerability related to the rest.AnonymousClientConfig() method failing to clear service account credentials effectively.

Understanding CVE-2019-11243

This CVE impacts Kubernetes versions v1.12.0-v1.12.4 and v1.13.0 due to a flaw in the rest.AnonymousClientConfig() method.

What is CVE-2019-11243?

In versions v1.12.0-v1.12.4 and v1.13.0 of Kubernetes, the rest.AnonymousClientConfig() method should remove credentials like bearer token, username/password, and client certificate/key data. However, it fails to clear service account credentials loaded using rest.InClusterConfig().

The Impact of CVE-2019-11243

The vulnerability has a CVSS base score of 3.1 (Low severity) with high attack complexity and network attack vector. It affects confidentiality and requires low privileges.

Technical Details of CVE-2019-11243

The technical aspects of this CVE.

Vulnerability Description

The rest.AnonymousClientConfig() method in Kubernetes versions v1.12.0-v1.12.4 and v1.13.0 does not effectively clear service account credentials loaded using rest.InClusterConfig().

Affected Systems and Versions

Affected Versions: v1.12.0-v1.12.4, v1.13.0
Affected Product: Kubernetes
Vendor: Kubernetes

Exploitation Mechanism

The vulnerability can be exploited by attackers to gain unauthorized access to Kubernetes clusters due to the failure to clear service account credentials.

Mitigation and Prevention

Steps to address and prevent the CVE.

Immediate Steps to Take

Clear the config.WrapTransport and config.Transport fields in addition to calling rest.AnonymousClientConfig()

Long-Term Security Practices

Regularly review and update Kubernetes configurations
Monitor for unauthorized access and unusual activities

Patching and Updates

Apply patches provided by Kubernetes to fix the vulnerability and ensure secure configurations.