CVE-2019-11245 - OpenCVE

In kubelet v1.13.6 and v1.14.2, containers for pods that do not specify an explicit runAsUser attempt to run as uid 0 (root) on container restart, or if the image was previously pulled to the node. If the pod specified mustRunAsNonRoot: true, the kubelet will refuse to start the container as root. If the pod did not specify mustRunAsNonRoot: true, the kubelet will run the container as uid 0.

No CVSS v4.0

No CVSS v3.1

Attack Vector Local

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:L/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Kubernetes	Kubernetes

Configuration 1 [-]

OR	cpe:2.3:a:kubernetes:kubernetes:1.13.6:::::::*
	cpe:2.3:a:kubernetes:kubernetes:1.14.2:::::::*

No data.

References

Link	Providers
https://discuss.kubernetes.io/t/security-regression-in-kubernetes-kubelet-v1-13-6-and-v1-14-2-only-cve-2019-11245/6584
https://github.com/kubernetes/kubernetes/issues/78308
https://nvd.nist.gov/vuln/detail/CVE-2019-11245
https://security.netapp.com/advisory/ntap-20190919-0003/
https://www.cve.org/CVERecord?id=CVE-2019-11245

History

No history.

MITRE

Status: PUBLISHED

Assigner: kubernetes

Published: 2019-08-29T00:22:24.173224Z

Updated: 2024-09-16T22:09:44.877Z

Reserved: 2019-04-17T00:00:00

Link: CVE-2019-11245

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-08-29T01:15:11.147

Modified: 2019-09-19T17:15:11.207

Link: CVE-2019-11245

Redhat

Severity : Moderate

Publid Date: 2019-05-24T00:00:00Z

Links: CVE-2019-11245 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "Kubernetes", "vendor": "Kubernetes", "versions": [{"status": "affected", "version": "v1.13.6"}, {"status": "affected", "version": "v1.14.2"}]}], "datePublic": "2019-05-24T00:00:00", "descriptions": [{"lang": "en", "value": "In kubelet v1.13.6 and v1.14.2, containers for pods that do not specify an explicit runAsUser attempt to run as uid 0 (root) on container restart, or if the image was previously pulled to the node. If the pod specified mustRunAsNonRoot: true, the kubelet will refuse to start the container as root. If the pod did not specify mustRunAsNonRoot: true, the kubelet will run the container as uid 0."}], "metrics": [{"cvssV3_0": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-703", "description": "CWE-703: Improper Check or Handling of Exceptional Conditions", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-09-19T16:06:08", "orgId": "a6081bf6-c852-4425-ad4f-a67919267565", "shortName": "kubernetes"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/kubernetes/kubernetes/issues/78308"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20190919-0003/"}], "source": {"defect": ["https://github.com/kubernetes/kubernetes/issues/78308"], "discovery": "USER"}, "title": "kubelet-started container uid changes to root after first restart or if image is already pulled to the node", "workarounds": [{"lang": "en", "value": "Specify runAsUser directives in pods to control the uid a container runs as. Specify mustRunAsNonRoot:true directives in pods to prevent starting as root (note this means the attempt to start the container will fail on affected kubelet versions)."}], "x_generator": {"engine": "Vulnogram 0.0.7"}, "x_legacyV4Record": {"CVE_data_meta": {"AKA": "", "ASSIGNER": "security@kubernetes.io", "DATE_PUBLIC": "2019-05-24", "ID": "CVE-2019-11245", "STATE": "PUBLIC", "TITLE": "kubelet-started container uid changes to root after first restart or if image is already pulled to the node"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Kubernetes", "version": {"version_data": [{"platform": "", "version_affected": "=", "version_name": "v1.13", "version_value": "v1.13.6"}, {"platform": "", "version_affected": "=", "version_name": "v1.14", "version_value": "v1.14.2"}]}}]}, "vendor_name": "Kubernetes"}]}}, "configuration": [], "credit": [], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In kubelet v1.13.6 and v1.14.2, containers for pods that do not specify an explicit runAsUser attempt to run as uid 0 (root) on container restart, or if the image was previously pulled to the node. If the pod specified mustRunAsNonRoot: true, the kubelet will refuse to start the container as root. If the pod did not specify mustRunAsNonRoot: true, the kubelet will run the container as uid 0."}]}, "exploit": [], "generator": {"engine": "Vulnogram 0.0.7"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-703: Improper Check or Handling of Exceptional Conditions"}]}]}, "references": {"reference_data": [{"name": "https://github.com/kubernetes/kubernetes/issues/78308", "refsource": "CONFIRM", "url": "https://github.com/kubernetes/kubernetes/issues/78308"}, {"name": "https://security.netapp.com/advisory/ntap-20190919-0003/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20190919-0003/"}]}, "solution": [], "source": {"advisory": "", "defect": ["https://github.com/kubernetes/kubernetes/issues/78308"], "discovery": "USER"}, "work_around": [{"lang": "en", "value": "Specify runAsUser directives in pods to control the uid a container runs as. Specify mustRunAsNonRoot:true directives in pods to prevent starting as root (note this means the attempt to start the container will fail on affected kubelet versions)."}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T22:48:09.001Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/kubernetes/kubernetes/issues/78308"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20190919-0003/"}]}]}, "cveMetadata": {"assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565", "assignerShortName": "kubernetes", "cveId": "CVE-2019-11245", "datePublished": "2019-08-29T00:22:24.173224Z", "dateReserved": "2019-04-17T00:00:00", "dateUpdated": "2024-09-16T22:09:44.877Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kubernetes:kubernetes:1.13.6:*:*:*:*:*:*:*", "matchCriteriaId": "91091DC9-FC24-41B5-BABC-0578CFC6ACBC", "vulnerable": true}, {"criteria": "cpe:2.3:a:kubernetes:kubernetes:1.14.2:*:*:*:*:*:*:*", "matchCriteriaId": "7067A9B9-8EA2-4CB7-A80D-E1A79495F463", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In kubelet v1.13.6 and v1.14.2, containers for pods that do not specify an explicit runAsUser attempt to run as uid 0 (root) on container restart, or if the image was previously pulled to the node. If the pod specified mustRunAsNonRoot: true, the kubelet will refuse to start the container as root. If the pod did not specify mustRunAsNonRoot: true, the kubelet will run the container as uid 0."}, {"lang": "es", "value": "En kubelet v1.13.6 y v1.14.2, los contenedores para pods que no especifican un intento runAsUser expl\u00edcito de ejecutarse como uid 0 (ra\u00edz) en el reinicio del contenedor, o si la imagen se extrajo previamente en el nodo. Si el pod especificado mustRunAsNonRoot: true, el kubelet se negar\u00e1 a iniciar el contenedor como root. Si el pod no especific\u00f3 mustRunAsNonRoot: true, el kubelet ejecutar\u00e1 el contenedor como uid 0."}], "id": "CVE-2019-11245", "lastModified": "2019-09-19T17:15:11.207", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.0"}, "exploitabilityScore": 1.4, "impactScore": 3.4, "source": "jordan@liggitt.net", "type": "Secondary"}]}, "published": "2019-08-29T01:15:11.147", "references": [{"source": "jordan@liggitt.net", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://github.com/kubernetes/kubernetes/issues/78308"}, {"source": "jordan@liggitt.net", "url": "https://security.netapp.com/advisory/ntap-20190919-0003/"}], "sourceIdentifier": "jordan@liggitt.net", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-264"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-703"}], "source": "jordan@liggitt.net", "type": "Secondary"}]}

{"bugzilla": {"description": "kubernetes: container uid changes to root after first restart", "id": "1715726", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1715726"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.9", "cvss3_scoring_vector": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "status": "draft"}, "cwe": "CWE-266", "details": ["In kubelet v1.13.6 and v1.14.2, containers for pods that do not specify an explicit runAsUser attempt to run as uid 0 (root) on container restart, or if the image was previously pulled to the node. If the pod specified mustRunAsNonRoot: true, the kubelet will refuse to start the container as root. If the pod did not specify mustRunAsNonRoot: true, the kubelet will run the container as uid 0."], "mitigation": {"lang": "en:us", "value": "There are two potential mitigations to this issue:\n1. Downgrade to kubelet v1.13.5 or v1.14.1 as instructed by your Kubernetes distribution.\n2. Set RunAsUser on all pods in the cluster that should not run as root. This is a Security Context feature; the docs are at https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod"}, "name": "CVE-2019-11245", "package_state": [{"cpe": "cpe:/a:redhat:openshift:3.10", "fix_state": "Not affected", "package_name": "atomic-openshift", "product_name": "Red Hat OpenShift Container Platform 3.10"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Not affected", "package_name": "atomic-openshift", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:3.6", "fix_state": "Not affected", "package_name": "atomic-openshift", "product_name": "Red Hat OpenShift Container Platform 3.6"}, {"cpe": "cpe:/a:redhat:openshift:3.7", "fix_state": "Not affected", "package_name": "atomic-openshift", "product_name": "Red Hat OpenShift Container Platform 3.7"}, {"cpe": "cpe:/a:redhat:openshift:3.9", "fix_state": "Not affected", "package_name": "atomic-openshift", "product_name": "Red Hat OpenShift Container Platform 3.9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "heketi", "product_name": "Red Hat Storage 3"}], "public_date": "2019-05-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-11245\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-11245\nhttps://discuss.kubernetes.io/t/security-regression-in-kubernetes-kubelet-v1-13-6-and-v1-14-2-only-cve-2019-11245/6584"], "statement": "This vulnerability only affects upstream Kubernetes versions 1.13.6 and 1.14.2. All released versions of Red Hat OpenShift Container Platform and Red Hat Gluster Storage 3 are not affected by this flaw as they do not contain the vulnerable code.", "threat_severity": "Moderate", "upstream_fix": "kubernetes 1.13.7, kubernetes 1.14.3"}