Hello Kubernetes Community,
A security issue was discovered in kubectl versions v1.13.10, v1.14.6, and v1.15.3. The issue is of a medium severity and upgrading of kubectl is encouraged to fix the vulnerability.
Am I vulnerable?
Run `kubectl version --client` and if it returns versions v1.13.10, v1.14.6, and v1.15.3, you are running a vulnerable version.
How do I upgrade?
The details for this vulnerability are very similar to CVE-2019-1002101 and CVE-2019-11246.
A vulnerability has been discovered in `kubectl cp` that allows a combination of two symlinks to copy a file outside of its destination directory. This could be used to allow an attacker to place a netfarious file using a symlink, outside of the destination tree.
This issue is filed as CVE-2019-11251 .
Two fixes were formulated, one fix to remove symlink support going forwards and a fix with cherry picks made to ensure backwards compatibility.
See
https://github.com/kubernetes/kubernetes/pull/82143 for main fix in v1.16.0 which removes the support of symlinks in kubectl cp. After version 1.16.0, symlink support with `kubectl cp` is removed, it is recommended instead to use a combination of exec+tar.
A second fix has been made to 1.15.4 and backported to 1.14.7 and 1.13.11. This changes the` kubectl cp` un-tar symlink logic, by unpacking the symlinks after all the regular files have been unpacked. This then guarantees that a file can't be written through a symlink.
See
https://github.com/kubernetes/kubernetes/pull/82384 for the fix to version 1.15.4. The following Cherry picks were made from this fix to earlier versions of v1.14.7 and v1.13.11:
See
https://github.com/kubernetes/kubernetes/pull/82502 for version 1.14.7
See
https://github.com/kubernetes/kubernetes/pull/82503 for version 1.13.11
Thank you to Erik Sjölund for discovering this issue, Tim Allclair and Maciej Szulik for both fixes and the patch release managers for including the fix in their releases.
Thank You,
Luke Hinds on behalf of the Kubernetes Product Security Committee