This topic describes how to fix the CVE-2019-11246 vulnerability related to the kubectl cp command.

Background information

The kubectl cp command is used to copy files between containers and hosts. When you copy a file from a container to your host, Kubernetes first runs the tar command to create a corresponding archive file and sends the archive file to your host. Then, kubectl decompresses the archive file on your host.

The CVE-2019-11246 vulnerability provides attackers the opportunity to write malicious files saved in a TAR package into any paths on your host by running the kubectl cp command through path traversal.

If the TAR package contains malicious files, attackers who have the permission to run the kubectl cp command can perform path traversal.

The effects of this vulnerability are similar to those of the CVE-2019-1002101vulnerability. For information about the CVE-2019-1002101 vulnerability, see CVE-2019-1002101: kubectl fix potential directory traversal.

For information about the vulnerability PR, see CVE-2019-11246: Clean links handling in cp's tar code.

For more information about security issues caused by this vulnerability, see kubernetes-security-announce.

Affected Kubernetes versions

  • kubectl v1.11.x and earlier versions
  • kubectl v1.12.1-v1.12.8 (fixed in v1.12.9)
  • kubectl v1.13.1-v1.13.5 (fixed in v1.13.6)
  • kubectl v1.14.1 (fixed in v1.14.2)
Note You can view the versions of kubectl by running the kubectl version --client command.

Solution

Upgrade kubectl and confirm the kubectl version. For more information, see Install and set up kubectl.

  • If your kubectl is v1.12.x, upgrade it to v1.12.9.
  • If your kubectl is v1.13.x, upgrade it to v1.13.6.
  • If your kubectl is v1.14.x, upgrade it to v1.14.2.
  • If your kubectl is v1.11 or an earlier version, upgrade it to v1.12.9, v1.13.6, or v1.14.2.