CVE-2020-8563 - OpenCVE

In Kubernetes clusters using VSphere as a cloud provider, with a logging level set to 4 or above, VSphere cloud credentials will be leaked in the cloud controller manager's log. This affects < v1.19.3.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:L/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Kubernetes	Kubernetes
Redhat	Openshift

Configuration 1 [-]

cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat OpenShift Container Platform 4.6
openshift-0:4.6.0-202012051246.p0.git.94231.efc9027.el8	cpe:/a:redhat:openshift:4.6::el7	RHSA-2020:5260	2020-12-14T00:00:00Z
Red Hat OpenShift Container Platform 4.7
openshift4/ose-hyperkube:v4.7.0-202102130115.p0	cpe:/a:redhat:openshift:4.7::el8	RHSA-2020:5633	2021-02-24T00:00:00Z

References

Link	Providers
https://github.com/kubernetes/kubernetes/issues/95621
https://groups.google.com/g/kubernetes-announce/c/ScdmyORnPDk
https://groups.google.com/g/kubernetes-security-discuss/c/vm-HcrFUOCs/m/36utxAM5CwAJ
https://nvd.nist.gov/vuln/detail/CVE-2020-8563
https://security.netapp.com/advisory/ntap-20210122-0006/
https://www.cve.org/CVERecord?id=CVE-2020-8563

History

No history.

MITRE

Status: PUBLISHED

Assigner: kubernetes

Published: 2020-12-07T22:00:25.689659Z

Updated: 2024-09-16T17:18:26.773Z

Reserved: 2020-02-03T00:00:00

Link: CVE-2020-8563

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-12-07T22:15:21.197

Modified: 2021-03-29T19:31:10.220

Link: CVE-2020-8563

Redhat

Severity : Moderate

Publid Date: 2020-10-14T00:00:00Z

Links: CVE-2020-8563 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "Kubernetes", "vendor": "Kubernetes", "versions": [{"status": "affected", "version": "< 1.19.3"}]}], "credits": [{"lang": "en", "value": "Kaizhe Huang (derek0405)"}], "datePublic": "2020-10-15T00:00:00", "descriptions": [{"lang": "en", "value": "In Kubernetes clusters using VSphere as a cloud provider, with a logging level set to 4 or above, VSphere cloud credentials will be leaked in the cloud controller manager's log. This affects < v1.19.3."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-532", "description": "CWE-532 Information Exposure Through Log Files", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-01-22T12:06:19", "orgId": "a6081bf6-c852-4425-ad4f-a67919267565", "shortName": "kubernetes"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/kubernetes/kubernetes/issues/95621"}, {"name": "Multiple secret leaks when verbose logging is enabled", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://groups.google.com/g/kubernetes-security-discuss/c/vm-HcrFUOCs/m/36utxAM5CwAJ"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20210122-0006/"}], "source": {"defect": ["https://github.com/kubernetes/kubernetes/issues/95621"], "discovery": "EXTERNAL"}, "title": "Secret leaks in logs for vSphere Provider kube-controller-manager", "workarounds": [{"lang": "en", "value": "Do not enable verbose logging in production (log level >= 4), limit access to logs."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@kubernetes.io", "DATE_PUBLIC": "2020-10-15T04:00:00.000Z", "ID": "CVE-2020-8563", "STATE": "PUBLIC", "TITLE": "Secret leaks in logs for vSphere Provider kube-controller-manager"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Kubernetes", "version": {"version_data": [{"version_value": "< 1.19.3"}]}}]}, "vendor_name": "Kubernetes"}]}}, "credit": [{"lang": "eng", "value": "Kaizhe Huang (derek0405)"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Kubernetes clusters using VSphere as a cloud provider, with a logging level set to 4 or above, VSphere cloud credentials will be leaked in the cloud controller manager's log. This affects < v1.19.3."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-532 Information Exposure Through Log Files"}]}]}, "references": {"reference_data": [{"name": "https://github.com/kubernetes/kubernetes/issues/95621", "refsource": "CONFIRM", "url": "https://github.com/kubernetes/kubernetes/issues/95621"}, {"name": "Multiple secret leaks when verbose logging is enabled", "refsource": "MLIST", "url": "https://groups.google.com/g/kubernetes-security-discuss/c/vm-HcrFUOCs/m/36utxAM5CwAJ"}, {"name": "https://security.netapp.com/advisory/ntap-20210122-0006/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210122-0006/"}]}, "source": {"defect": ["https://github.com/kubernetes/kubernetes/issues/95621"], "discovery": "EXTERNAL"}, "work_around": [{"lang": "en", "value": "Do not enable verbose logging in production (log level >= 4), limit access to logs."}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T10:03:46.114Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/kubernetes/kubernetes/issues/95621"}, {"name": "Multiple secret leaks when verbose logging is enabled", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://groups.google.com/g/kubernetes-security-discuss/c/vm-HcrFUOCs/m/36utxAM5CwAJ"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20210122-0006/"}]}]}, "cveMetadata": {"assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565", "assignerShortName": "kubernetes", "cveId": "CVE-2020-8563", "datePublished": "2020-12-07T22:00:25.689659Z", "dateReserved": "2020-02-03T00:00:00", "dateUpdated": "2024-09-16T17:18:26.773Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*", "matchCriteriaId": "515661A5-8AFF-45B7-932C-3B5CD32945F0", "versionEndExcluding": "1.19.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Kubernetes clusters using VSphere as a cloud provider, with a logging level set to 4 or above, VSphere cloud credentials will be leaked in the cloud controller manager's log. This affects < v1.19.3."}, {"lang": "es", "value": "En los cl\u00fasteres de Kubernetes que utilizan VSphere como proveedor de nube, con un nivel de registro establecido en 4 o superior, las credenciales de la nube de VSphere se filtrar\u00e1n en el registro del administrador del controlador de nube. Esto afecta a versiones anteriores a v1.19.3"}], "id": "CVE-2020-8563", "lastModified": "2021-03-29T19:31:10.220", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 3.6, "source": "jordan@liggitt.net", "type": "Secondary"}]}, "published": "2020-12-07T22:15:21.197", "references": [{"source": "jordan@liggitt.net", "tags": ["Third Party Advisory"], "url": "https://github.com/kubernetes/kubernetes/issues/95621"}, {"source": "jordan@liggitt.net", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "url": "https://groups.google.com/g/kubernetes-security-discuss/c/vm-HcrFUOCs/m/36utxAM5CwAJ"}, {"source": "jordan@liggitt.net", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20210122-0006/"}], "sourceIdentifier": "jordan@liggitt.net", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-532"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-532"}], "source": "jordan@liggitt.net", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank the Kubernetes Product Security Committee for reporting this issue. Upstream acknowledges Kaizhe Huang (derek0405) as the original reporter.", "affected_release": [{"advisory": "RHSA-2020:5260", "cpe": "cpe:/a:redhat:openshift:4.6::el7", "package": "openshift-0:4.6.0-202012051246.p0.git.94231.efc9027.el8", "product_name": "Red Hat OpenShift Container Platform 4.6", "release_date": "2020-12-14T00:00:00Z"}, {"advisory": "RHSA-2020:5633", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "openshift4/ose-hyperkube:v4.7.0-202102130115.p0", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-02-24T00:00:00Z"}], "bugzilla": {"description": "kubernetes: Secret leaks in kube-controller-manager when using vSphere Provider", "id": "1886635", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1886635"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-117", "details": ["In Kubernetes clusters using VSphere as a cloud provider, with a logging level set to 4 or above, VSphere cloud credentials will be leaked in the cloud controller manager's log. This affects < v1.19.3.", "A flaw was found in kubernetes. Clusters running on VSphere, using VSphere as a cloud provider a with logging level set to 4 or above, VSphere cloud credentials will be leaked in the cloud controller manager's log."], "mitigation": {"lang": "en:us", "value": "Ensure that the logging level is below 4. Additionally, protect unauthorized access to cluster logs.\nFor OCP, the logging level for core components can be configured using operators, e.g. for kube-controller-manager:\nhttps://docs.openshift.com/container-platform/latest/rest_api/operator_apis/kubecontrollermanager-operator-openshift-io-v1.html#specification\nIn OCP, a logging level of \"Debug\" is equivalent to 4: \nhttps://github.com/openshift/api/blob/master/operator/v1/types.go#L96\nThe default logging level is \"Normal\", which is equivalent to 2. Clusters running with the default level are not vulnerable to this issue."}, "name": "CVE-2020-8563", "package_state": [{"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Not affected", "package_name": "atomic-openshift", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "heketi", "product_name": "Red Hat Storage 3"}], "public_date": "2020-10-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-8563\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-8563\nhttps://github.com/kubernetes/kubernetes/issues/95621\nhttps://groups.google.com/g/kubernetes-announce/c/ScdmyORnPDk"], "statement": "OpenShift Container Platform (OCP) versions before 4.6 are not affected by this vulnerability as they are based on Kubernetes versions before 1.19. Only Kubernetes versions 1.19.0 through 1.19.2 are affected by this vulnerability.", "threat_severity": "Moderate", "upstream_fix": "kubernetes 1.19.3"}