Plattform
kubernetes
Komponente
kubernetes
Behoben in
N/A
N/A
N/A
N/A
N/A
N/A
N/A
CVE-2019-11244 affects Kubernetes versions 1.8.0 through 1.14.x. This vulnerability arises from the way kubectl caches schema information. If the --cache-dir flag is used and points to a world-writeable location, other users on the system can modify these cached files, leading to unexpected behavior or disruption of kubectl commands. The vulnerability is resolved in version v1.14*.
The primary impact of CVE-2019-11244 is the potential for denial-of-service or disruption of kubectl functionality. An attacker with access to the same system as a Kubernetes user can exploit this vulnerability by modifying the cached schema files. This could lead to kubectl failing to correctly interpret API responses, resulting in errors or unexpected behavior. While the CVSS score is LOW, the ease of exploitation and potential for disruption make it a concern, especially in multi-user environments where shared file systems are common. The attacker does not gain elevated privileges, but can impact the usability of the Kubernetes cluster for legitimate users.
CVE-2019-11244 was publicly disclosed on April 22, 2019. There is no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) code has been widely released. The vulnerability is not currently listed on the CISA KEV catalog. The LOW CVSS score reflects the limited impact and relatively low probability of exploitation.
Kubernetes clusters running versions 1.8.0 through 1.14.x are at risk, particularly those where the --cache-dir flag is used with a directory accessible to multiple users or groups. Shared hosting environments and clusters with less stringent access controls are especially vulnerable.
• linux / server:
find /home/$USER/.kube/http-cache -perm -o=rwxrwxrwx• kubernetes / cluster:
Check kubectl configuration files for the --cache-dir flag and verify the permissions of the specified directory.
disclosure
Exploit-Status
EPSS
0.10% (27% Perzentil)
CVSS-Vektor
The recommended mitigation for CVE-2019-11244 is to upgrade to Kubernetes version v1.14* or later, which includes the fix. If upgrading immediately is not possible, restrict access to the --cache-dir directory. Ensure that the directory is not world-writeable and that only the Kubernetes user has write access. Consider using a dedicated user account for kubectl with limited privileges. Monitor the --cache-dir for unexpected modifications. There are no specific WAF or proxy rules applicable to this vulnerability as it is a local configuration issue. After upgrade, confirm kubectl functionality by executing a standard API call, such as kubectl get pods.
Kubernetes auf eine Version aktualisieren, die neuer als 1.14.x ist. Als vorübergehende Lösung stellen Sie sicher, dass das kubectl-Cache-Verzeichnis (--cache-dir) nicht für andere Benutzer/Gruppen zugänglich ist oder geben Sie es nicht an, um den Standardwert im Home-Verzeichnis des Benutzers zu verwenden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2019-11244 is a LOW severity vulnerability in Kubernetes affecting versions 1.8.0–v1.14*. It allows potential modification of cached schema files, disrupting kubectl operations.
You are affected if your Kubernetes cluster is running versions 1.8.0 through 1.14.x and kubectl is configured to use a world-writeable cache directory.
Upgrade your Kubernetes cluster to version 1.14* or later. If immediate upgrade is not possible, restrict access to the --cache-dir directory.
There is no public evidence of active exploitation of CVE-2019-11244 at this time.
Refer to the Kubernetes security advisory at https://kubernetes.io/blog/2019/04/22/security-announcement-CVE-2019-11244/
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.