CVE-2019-11248 : Security Advisory and Response
Learn about CVE-2019-11248 where Kubernetes kubelet exposes /debug/pprof info on healthz port. Find out affected versions, impact, and mitigation steps to secure your systems.
Kubernetes kubelet exposes /debug/pprof info on healthz port.
Understanding CVE-2019-11248
What is CVE-2019-11248?
The unauthenticated Kubelet healthz port exposes the debugging endpoint /debug/pprof, potentially revealing sensitive information or causing limited denial of service.
The Impact of CVE-2019-11248
The issue affects versions prior to 1.15.0, 1.14.4, 1.13.8, and 1.12.10, with a medium severity level.
Technical Details of CVE-2019-11248
Vulnerability Description
The exposed debugging endpoint can leak sensitive information or lead to limited denial of service.
Affected Systems and Versions
- Kubernetes versions prior to 1.15.0, 1.14.4, 1.13.8, and 1.12.10
Exploitation Mechanism
The unauthenticated Kubelet healthz port exposes the /debug/pprof endpoint, allowing potential exploitation.
Mitigation and Prevention
Immediate Steps to Take
- Update node configurations to set the "healthzBindAddress" to "127.0.0.1" to prevent remote access.
Long-Term Security Practices
- Regularly monitor and update Kubernetes versions.
- Implement network security measures to restrict unauthorized access.
Patching and Updates
Stay informed about security advisories and apply patches promptly.