[ANNOUNCE] CVE-2019-11248: /debug/pprof exposed on kubelet's healthz port

592 views
Skip to first unread message

Tim Allclair

unread,
Aug 6, 2019, 12:36:22 PM8/6/19
to Kubernetes developer/contributor discussion, kubernetes-sec...@googlegroups.com, kubernetes-se...@googlegroups.com, oss-se...@lists.openwall.com
Hello Kubernetes Community,

The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port. Versions prior to 1.15.0, 1.14.4, 1.13.8, and 1.12.10 are affected. The issue is of medium severity, but only exposed locally by the default configuration. If you are exposed we recommend upgrading to at least one of the versions listed.


Am I vulnerable?


By default, the Kubelet exposes unauthenticated healthz endpoints on port :10248, but only over localhost. If your nodes are using a non-localhost healthzBindAddress (--health-bind-address), and an older version, you may be vulnerable. If your nodes are using the default localhost healthzBindAddress, it is only exposed to pods or processes running in the host network namespace.


Run `kubectl get nodes` to see whether nodes are running a vulnerable version.

Run `kubectl get --raw /api/v1/nodes/${NODE_NAME}/proxy/configz` to check whether the "healthzBindAddress" is non-local.


How do I mitigate the vulnerability?


Upgrade to the latest patch releases for 1.15, 1.14 or 1.13

Or, update node configurations to set the "healthzBindAddress" to "127.0.0.1".


Vulnerability Details


The go pprof endpoint is exposed over the Kubelet's healthz port. This debugging endpoint can potentially leak sensitive information such as internal Kubelet memory addresses and configuration, or for limited denial of service.


This issue has been filed as CVE-2019-11248. See https://github.com/kubernetes/kubernetes/issues/81023 for more details


Thanks to Jordan Zebor of F5 Networks for reporting this problem.


Thank You,


Tim Allclair on behalf of the Kubernetes Product Security Committee




Reply all
Reply to author
Forward
0 new messages