CVE-2019-11245 - OpenCVE

In kubelet v1.13.6 and v1.14.2, containers for pods that do not specify an explicit runAsUser attempt to run as uid 0 (root) on container restart, or if the image was previously pulled to the node. If the pod specified mustRunAsNonRoot: true, the kubelet will refuse to start the container as root. If the pod did not specify mustRunAsNonRoot: true, the kubelet will run the container as uid 0.

No CVSS v3.1

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:L/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Kubernetes	Kubernetes

Configuration 1 [-]

OR	cpe:2.3:a:kubernetes:kubernetes:1.13.6:::::::*
	cpe:2.3:a:kubernetes:kubernetes:1.14.2:::::::*

References

Link	Resource
https://github.com/kubernetes/kubernetes/issues/78308	Exploit Patch Third Party Advisory
https://security.netapp.com/advisory/ntap-20190919-0003/

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: kubernetes

Published: 2019-05-24T00:00:00

Updated: 2019-09-19T16:06:08

Reserved: 2019-04-17T00:00:00

Link: CVE-2019-11245

JSON object: View

NVD Information

Status : Modified

Published: 2019-08-29T01:15:11.147

Modified: 2019-09-19T17:15:11.207

Link: CVE-2019-11245

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "Kubernetes", "vendor": "Kubernetes", "versions": [{"status": "affected", "version": "v1.13.6"}, {"status": "affected", "version": "v1.14.2"}]}], "datePublic": "2019-05-24T00:00:00", "descriptions": [{"lang": "en", "value": "In kubelet v1.13.6 and v1.14.2, containers for pods that do not specify an explicit runAsUser attempt to run as uid 0 (root) on container restart, or if the image was previously pulled to the node. If the pod specified mustRunAsNonRoot: true, the kubelet will refuse to start the container as root. If the pod did not specify mustRunAsNonRoot: true, the kubelet will run the container as uid 0."}], "metrics": [{"cvssV3_0": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-703", "description": "CWE-703: Improper Check or Handling of Exceptional Conditions", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-09-19T16:06:08", "orgId": "a6081bf6-c852-4425-ad4f-a67919267565", "shortName": "kubernetes"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/kubernetes/kubernetes/issues/78308"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20190919-0003/"}], "source": {"defect": ["https://github.com/kubernetes/kubernetes/issues/78308"], "discovery": "USER"}, "title": "kubelet-started container uid changes to root after first restart or if image is already pulled to the node", "workarounds": [{"lang": "en", "value": "Specify runAsUser directives in pods to control the uid a container runs as. Specify mustRunAsNonRoot:true directives in pods to prevent starting as root (note this means the attempt to start the container will fail on affected kubelet versions)."}], "x_generator": {"engine": "Vulnogram 0.0.7"}, "x_legacyV4Record": {"CVE_data_meta": {"AKA": "", "ASSIGNER": "security@kubernetes.io", "DATE_PUBLIC": "2019-05-24", "ID": "CVE-2019-11245", "STATE": "PUBLIC", "TITLE": "kubelet-started container uid changes to root after first restart or if image is already pulled to the node"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Kubernetes", "version": {"version_data": [{"platform": "", "version_affected": "=", "version_name": "v1.13", "version_value": "v1.13.6"}, {"platform": "", "version_affected": "=", "version_name": "v1.14", "version_value": "v1.14.2"}]}}]}, "vendor_name": "Kubernetes"}]}}, "configuration": [], "credit": [], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In kubelet v1.13.6 and v1.14.2, containers for pods that do not specify an explicit runAsUser attempt to run as uid 0 (root) on container restart, or if the image was previously pulled to the node. If the pod specified mustRunAsNonRoot: true, the kubelet will refuse to start the container as root. If the pod did not specify mustRunAsNonRoot: true, the kubelet will run the container as uid 0."}]}, "exploit": [], "generator": {"engine": "Vulnogram 0.0.7"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-703: Improper Check or Handling of Exceptional Conditions"}]}]}, "references": {"reference_data": [{"name": "https://github.com/kubernetes/kubernetes/issues/78308", "refsource": "CONFIRM", "url": "https://github.com/kubernetes/kubernetes/issues/78308"}, {"name": "https://security.netapp.com/advisory/ntap-20190919-0003/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20190919-0003/"}]}, "solution": [], "source": {"advisory": "", "defect": ["https://github.com/kubernetes/kubernetes/issues/78308"], "discovery": "USER"}, "work_around": [{"lang": "en", "value": "Specify runAsUser directives in pods to control the uid a container runs as. Specify mustRunAsNonRoot:true directives in pods to prevent starting as root (note this means the attempt to start the container will fail on affected kubelet versions)."}]}}}, "cveMetadata": {"assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565", "assignerShortName": "kubernetes", "cveId": "CVE-2019-11245", "datePublished": "2019-05-24T00:00:00", "dateReserved": "2019-04-17T00:00:00", "dateUpdated": "2019-09-19T16:06:08", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kubernetes:kubernetes:1.13.6:*:*:*:*:*:*:*", "matchCriteriaId": "91091DC9-FC24-41B5-BABC-0578CFC6ACBC", "vulnerable": true}, {"criteria": "cpe:2.3:a:kubernetes:kubernetes:1.14.2:*:*:*:*:*:*:*", "matchCriteriaId": "7067A9B9-8EA2-4CB7-A80D-E1A79495F463", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In kubelet v1.13.6 and v1.14.2, containers for pods that do not specify an explicit runAsUser attempt to run as uid 0 (root) on container restart, or if the image was previously pulled to the node. If the pod specified mustRunAsNonRoot: true, the kubelet will refuse to start the container as root. If the pod did not specify mustRunAsNonRoot: true, the kubelet will run the container as uid 0."}, {"lang": "es", "value": "En kubelet v1.13.6 y v1.14.2, los contenedores para pods que no especifican un intento runAsUser expl\u00edcito de ejecutarse como uid 0 (ra\u00edz) en el reinicio del contenedor, o si la imagen se extrajo previamente en el nodo. Si el pod especificado mustRunAsNonRoot: true, el kubelet se negar\u00e1 a iniciar el contenedor como root. Si el pod no especific\u00f3 mustRunAsNonRoot: true, el kubelet ejecutar\u00e1 el contenedor como uid 0."}], "id": "CVE-2019-11245", "lastModified": "2019-09-19T17:15:11.207", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.0"}, "exploitabilityScore": 1.4, "impactScore": 3.4, "source": "jordan@liggitt.net", "type": "Secondary"}]}, "published": "2019-08-29T01:15:11.147", "references": [{"source": "jordan@liggitt.net", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://github.com/kubernetes/kubernetes/issues/78308"}, {"source": "jordan@liggitt.net", "url": "https://security.netapp.com/advisory/ntap-20190919-0003/"}], "sourceIdentifier": "jordan@liggitt.net", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-264"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-703"}], "source": "jordan@liggitt.net", "type": "Secondary"}]}