[ANNOUNCE] Security release of Kubernetes kubectl - potential directory traversal - Releases 1.11.9, 1.12.7, 1.13.5, and 1.14.0 - CVE-2019-1002101
Brandon Philips
Hello Kubernetes Community-
A security issue was discovered with the Kubernetes `kubectl cp` command that could enable a directory traversal replacing or deleting files on a user’s workstation. The issue is High severity and upgrading kubectl to Kubernetes 1.11.9, 1.12.7, 1.13.5, and 1.14.0 is encouraged to fix this issue.
**Am I vulnerable?**
Run `kubectl version --client` and if it does not say version 1.11.9, 1.12.7, 1.13.5, and 1.14.0 or newer you are running a vulnerable version.
**How do I upgrade?**
Follow installation instructions here https://kubernetes.io/docs/tasks/tools/install-kubectl/
Not all instructions will provide up to date kubectl versions at the time of this announcement. So, always confirm with `kubectl version --client`.
**Vulnerability Details**
The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes creates a tar inside the container, copies it over the network, and kubectl unpacks it on the user’s machine.
If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on the user’s machine when kubectl cp is called, limited only by the system permissions of the local user.
Since fixing CVE-2018-1002100, the untar function calls the `cp.go:clean` to strip path traversals. However, that function can both create and follow symbolic links.
See https://github.com/kubernetes/kubernetes/pull/75037 for details on the fix.
**Thank you**
Thank you to the reporter Ariel Zelivansky of Twistlock for identifying the issue, Maciej Szulik, Tim Pepper, and the patch release managers for the coordination in making this release.
Thank You,
Brandon on behalf of the Kubernetes Product Security Committee