Gardener Security Announcement - CVE-2019-12494 - Incorrect access control in Gardener, please update to v0.20.0 or higher

50 views
Skip to first unread message

Thormaehlen, Frederik

unread,
Jun 4, 2019, 9:53:13 AM6/4/19
to gard...@googlegroups.com
Hello Gardener Community,

a security-related issue was discovered in Gardener. The issue is medium severity (CVSS v3 5.9) [1] and can be mitigated with an update to Gardener v0.20.0 [2] or higher [3].

*Vulnerability Details*
Incorrect access control in seed clusters allows information disclosure by sending HTTP GET requests from one's own shoot clusters to foreign shoot clusters. This occurred because traffic from shoot clusters to their corresponding seed cluster via VPN endpoint was not blocked in Gardener before v0.20.0.

This issue is filed as CVE-2019-12494. See the GitHub Issue #40 [4] and PR #874 [6] for details.

*Am I vulnerable?*
In the Gardener Dashboard you can see in the upper right corner under "?" the "API version". If it is < 0.20.0 you are running a vulnerable Gardener version.

*How do I mitigate the vulnerability?*
All Gardener users are recommended to update their Gardener instances to v0.20.0 [2] or higher [3].

Thank You,

Frederik on behalf of the Gardener Security Team

As a reminder, if you find a security issue in Gardener, please report it following the Gardener security disclosure process [6] which is appropriate for your finding.

[1] https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
[2] https://github.com/gardener/gardener/releases/tag/0.20.0
[3] https://github.com/gardener/gardener/releases/
[4] https://github.com/gardener/vpn/issues/40
[5] https://github.com/gardener/gardener/pull/874
[6] https://gardener.cloud/045_contribute/10_code/12-security_guide/

---
You received this message because you are subscribed to the Google Groups "gardener" group https://groups.google.com/forum/#!forum/gardener
To unsubscribe from this group and stop receiving emails from it, send an email to gardener+u...@googlegroups.com
To post to this group, send email to gard...@googlegroups.com
For more options, visit https://groups.google.com/d/optout
Reply all
Reply to author
Forward
0 new messages