The Kubernetes community disclosed the vulnerability CVE-2019-11249 that is related to the kubectl cp command. Attackers can exploit this vulnerability to write malicious files into any paths other than the destination paths on your host through directory traversal. The malicious files are saved in TAR packages in containers. This process is restricted only by system permissions of the current user.
The kubectl cp command is used to copy files between containers and hosts. When you copy a file from a container to your host by running the kubectl cp command, Kubernetes performs the following three steps: runs the tar command to create a TAR package in the container, sends the package to your host, and decompresses the package on your host.
If an attacker has permissions to run the kubectl cp command, they can send a malicious TAR package through directory traversal.
To fix this vulnerability, the kubectl cp command is required to perform a more rigorous
verification on the destination paths of all files during TAR package decompression.
The command must disallow copying decompressed files to any paths other than the destination
paths. This prevents malicious attacks during
TAR package decompression.
For more information, see Kubernetes announcements.
For more information about the pull requests for fixing this vulnerability, see CVE-2019-11249.
You can run the
kubectl version --client command to check your kubectl version.
The following kubectl versions are affected:
- kubectl 1.0.x-1.12.x
- Kubectl 1.13.0 to 1.13.8 (fixed in v1.13.9)
- Kubectl 1.14.0 to 1.14.4 (fixed in v1.14.5)
- Kubectl 1.15.0 to 1.15.1 (fixed in v1.15.2)
You can upgrade the kubectl version to fix this vulnerability. For more information, see install and set up kubectl. Check the kubectl version after kubectl is installed.
- If the kubectl version is 1.13.x, upgrade it to 1.13.9.
- If the kubectl version is 1.14.x, upgrade it to 1.14.5.
- If the kubectl version is 1.15.x, upgrade it to 1.15.2.
- If your kubectl version is 1.12.x or an earlier version, upgrade it to 1.13.9, 1.14.5, or 1.15.2.