Vulnerability identifier: #VU30804

Vulnerability risk: High

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-11247

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Kubernetes
Server applications / Frameworks for developing and running applications

Vendor: Kubernetes

Description

The vulnerability allows a remote authenticated user to read and manipulate data.

The Kubernetes kube-apiserver mistakenly allows access to a cluster-scoped custom resource if the request is made as if the resource were namespaced. Authorizations for the resource accessed in this manner are enforced using roles and role bindings within the namespace, meaning that a user with access only to a resource in one namespace could create, view update or delete the cluster-scoped resource (according to their namespace role privileges). Kubernetes affected versions include versions prior to 1.13.9, versions prior to 1.14.5, versions prior to 1.15.2, and versions 1.7, 1.8, 1.9, 1.10, 1.11, 1.12.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Kubernetes: 1.15.0 - 1.15.1

---

External links
http://access.redhat.com/errata/RHBA-2019:2816
http://access.redhat.com/errata/RHBA-2019:2824
http://access.redhat.com/errata/RHSA-2019:2690
http://access.redhat.com/errata/RHSA-2019:2769
http://github.com/kubernetes/kubernetes/issues/80983
http://groups.google.com/d/msg/kubernetes-security-announce/vUtEcSEY6SM/v2ZZxsmtFQAJ
http://security.netapp.com/advisory/ntap-20190919-0003/

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.