Gardener Security Announcement - CVE-2018-2475 - please update to Gardener 0.12.4

123 views

Skip to first unread message

Frederik Thormaehlen

unread,

Oct 19, 2018, 8:38:31 AM10/19/18

to gardener

We have recently released Gardener 0.12.3 and 0.12.4 [0] where we continued to address the same security issue related to missing network isolation in the Gardener context, as we have already started in the release 0.11.0 [1] and continued in 0.12.2 [2] which introduced CVE-2018-24-75 [3]. Now we recommend all Gardener instances to update immediately to the release 0.12.4. The following Gardener pull requests continue to fix this vulnerability: PR #461 [4] , PR #465 [5]. Please take into consideration that the introduced Gardener security patch is applied in all Gardener managed shoot clusters where reconciliation is active. Reconciliation is inactive in those shoot clusters where the following annotation is configured: metadata:annotations:shoot.garden.sapcloud.io/ignore: 'true' .

Thanks again to Michael Schubert and Alban Crequy from Kinvolk for reporting this issue.

Frederik Thormaehlen (on behalf of the Gardener Security Team)

PS: If you find a security vulnerability in Gardener, please report it following the Gardener security disclosure process [6] which is appropriate for your finding.

[0] https://github.com/gardener/gardener/releases

[1] https://groups.google.com/forum/#!topic/gardener/-RkBPnuucEs

[2] https://groups.google.com/forum/#!topic/gardener/OjfKEe1LwXo

[3] h https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2475, https://nvd.nist.gov/vuln/detail/CVE-2018-2475

[4] https://github.com/gardener/gardener/pull/461

[5] https://github.com/gardener/gardener/pull/465

[6] https://github.com/gardener/documentation/blob/master/security-release-process.md#disclosures

Reply all

Reply to author

Forward

0 new messages