Gardener Security Announcement - CVE-2019-12494 - Incorrect access control in Gardener, please update to v0.20.0 or higher
52 views
Skip to first unread message
Thormaehlen, Frederik
unread,
Jun 4, 2019, 9:53:13 AM6/4/19
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to gard...@googlegroups.com
Hello Gardener Community,
a security-related issue was discovered in Gardener. The issue is medium severity (CVSS v3 5.9) [1] and can be mitigated with an update to Gardener v0.20.0 [2] or higher [3].
*Vulnerability Details*
Incorrect access control in seed clusters allows information disclosure by sending HTTP GET requests from one's own shoot clusters to foreign shoot clusters. This occurred because traffic from shoot clusters to their corresponding seed cluster via VPN endpoint was not blocked in Gardener before v0.20.0.
This issue is filed as CVE-2019-12494. See the GitHub Issue #40 [4] and PR #874 [6] for details.
*Am I vulnerable?*
In the Gardener Dashboard you can see in the upper right corner under "?" the "API version". If it is < 0.20.0 you are running a vulnerable Gardener version.
*How do I mitigate the vulnerability?*
All Gardener users are recommended to update their Gardener instances to v0.20.0 [2] or higher [3].
Thank You,
Frederik on behalf of the Gardener Security Team
As a reminder, if you find a security issue in Gardener, please report it following the Gardener security disclosure process [6] which is appropriate for your finding.