Plataforma
kubernetes
Componente
kubernetes-api-server
Corrigido em
2.1.1
3.1.1
3.1.2
3.1.3
CVE-2019-4119 affects the IBM Cloud Private Kubernetes API server, allowing it to be exploited as an HTTP proxy. This misconfiguration enables attackers to proxy traffic to both internal cluster resources and external IP addresses, potentially bypassing security controls. The vulnerability impacts versions 2.1.0 through 3.1.2, and a fix is available in version 3.1.3.
The primary impact of CVE-2019-4119 is the ability for an attacker to leverage the Kubernetes API server as a proxy. This allows them to intercept and potentially modify traffic destined for internal cluster components or external services. An attacker could use this to exfiltrate sensitive data, perform man-in-the-middle attacks, or even gain access to systems outside the Kubernetes cluster. While the CVSS score is LOW, the potential for bypassing security controls and the broad scope of potential targets make this a significant concern, especially in environments with sensitive data or critical infrastructure.
CVE-2019-4119 was publicly disclosed on May 17, 2019. There is no indication of active exploitation campaigns targeting this vulnerability. It is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, but the vulnerability's nature makes it relatively straightforward to exploit given access to the API server.
Organizations utilizing IBM Cloud Private Kubernetes in versions 2.1.0 through 3.1.2 are at risk. This includes deployments with exposed API servers and those handling sensitive data, as the proxy functionality can be exploited to bypass security controls and access internal resources.
• kubernetes / server:
journalctl -u kube-apiserver | grep -i proxy• kubernetes / server:
kubectl get configmap kube-proxy -o yaml | grep proxy• generic web:
curl -I <kubernetes_api_server_url>Inspect response headers for unusual proxy configurations.
disclosure
Status do Exploit
EPSS
0.26% (percentil 49%)
Vetor CVSS
The recommended mitigation for CVE-2019-4119 is to upgrade to IBM Cloud Private Kubernetes version 3.1.3 or later, which includes the fix for this proxy misconfiguration. If an immediate upgrade is not feasible, consider implementing network segmentation to restrict access to the API server. Additionally, review and tighten API server access controls to limit who can interact with the API. Monitor API server logs for unusual traffic patterns that might indicate exploitation attempts. After upgrade, confirm the fix by verifying that external IP addresses are no longer accessible through the API server.
Atualizar o servidor API Kubernetes do IBM Cloud Private para uma versão posterior a 3.1.2. Consultar a documentação da IBM para obter instruções específicas sobre como realizar a atualização.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2019-4119 is a LOW severity vulnerability in IBM Cloud Private Kubernetes API server versions 2.1.0–3.1.2 that allows it to be used as an HTTP proxy, potentially exposing internal and external resources.
If you are running IBM Cloud Private Kubernetes versions 2.1.0, 3.1.0, 3.1.1, or 3.1.2, you are potentially affected by this vulnerability.
Upgrade to IBM Cloud Private Kubernetes version 3.1.3 or later to remediate the vulnerability. Consider network segmentation as a temporary workaround.
There is currently no evidence of active exploitation campaigns targeting CVE-2019-4119, but the vulnerability's nature makes it a potential risk.
Refer to the IBM Security Bulletin for details: https://www.ibm.com/support/kbdoc/firstdoc/security/psirt1939
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.