All Vulnerability Reports

CVE-2019-11249: PKS consumes a vulnerable version of kubectl


Severity

Medium

Vendor

Pivotal

Description

Pivotal Container Service, versions 1.4.x prior to 1.4.3, consumes vulnerable versions of Kubernetes (affected versions include versions prior to 1.13.9, versions prior to 1.14.5, versions prior to 1.15.2, and versions 1.1, 1.2, 1.3, 1.4, 1.5, 1.6, 1.7, 1.8, 1.9, 1.10, 1.11, 1.12). The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes runs tar inside the container to create a tar archive, copies it over the network, and kubectl unpacks it on the user's machine. If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on the user's machine when kubectl cp is called, limited only by the system permissions of the local user.

Affected VMware Products and Versions

Severity is medium unless otherwise noted.

  • Pivotal Container Service (PKS)
    • 1.4.x versions prior to 1.4.3

Mitigation

Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:

  • Pivotal Container Service (PKS)
    • 1.4.3

References

History

2019-10-23: Initial vulnerability report published.