Kubernetes has announced the vulnerability CVE-2019-11246 related to the kubectl cp. This vulnerability may allow attackers to exploit the kubectl cp command and write malicious files from the TAR package of a container to a path on the host of the container by using path traversal. This process is limited by only local system permissions.

Background information

The effects of this vulnerability are similar to those of the CVE-2019-1002101 vulnerability. For more information about the CVE-2019-1002101 vulnerability, see CVE-2019-1002101: kubectl fix potential directory traversal #75037.

The kubectl cp command is used to copy files between containers and hosts. When you copy a file from a container to your host by running the kubectl cp command, Kubernetes performs the following steps: creates a TAR file in the container, sends the package file to your host, and then decompresses the package file on your host.

If an attacker has permissions to run the kubectl cp command, the attacker can send a malicious TAR file to perform a path traversal attack on your host.

For more information about the Privileges Required (PR) of the CVE-2019-11246 vulnerability, see CVE-2019-11246: Clean links handling in cp's tar code#76788.

Affected Kubernetes versions

  • kubectl V1.11.x and earlier
  • kubectl V1.12.1 to V1.12.8 (fixed in V1.12.9)
  • kubectl V1.13.1 to v1.13.5 (fixed in V1.13.6)
  • kubectl V1.14.1 (fixed in V1.14.2)
Note You can run the kubectl version --client command to check your kubectl version.

Solution

Upgrade the kubectl and confirm the kubectl version. For more information, see Install and set up kubectl.

  • If your kubectl version is V1.12.x, upgrade it to V1.12.9.
  • If your kubectl version is V1.13.x, upgrade it to V1.13.6.
  • If your kubectl version is V1.14.x, upgrade it to V1.14.2.
  • If your kubectl version is V1.11 or earlier, upgrade it to V1.12.9, V1.13.6, or V1.14.2.