The Kubernetes community disclosed the vulnerability CVE-2019-11249 that is related to the kubectl cp command. Attackers can exploit this vulnerability to write malicious files into any paths other than the destination paths on your host through directory traversal. The malicious files are saved in TAR packages in containers. This process is restricted only by system permissions of the current user.

Background information

The kubectl cp command is used to copy files between containers and hosts. When you copy a file from a container to your host by running the kubectl cp command, Kubernetes performs the following three steps: runs the tar command to create a TAR package in the container, sends the package to your host, and decompresses the package on your host.

If an attacker has permissions to run the kubectl cp command, they can send a malicious TAR package through directory traversal.

To fix this vulnerability, the kubectl cp command is required to perform a more rigorous verification on the destination paths of all files during TAR package decompression. The command must disallow copying decompressed files to any paths other than the destination paths. This prevents malicious attacks during TAR package decompression.

For more information, see Kubernetes announcements.

For more information about the pull requests for fixing this vulnerability, see CVE-2019-11249.

Impacts

You can run the kubectl version --client command to check your kubectl version.

The following kubectl versions are affected:

  • kubectl 1.0.x-1.12.x
  • Kubectl 1.13.0 to 1.13.8 (fixed in v1.13.9)
  • Kubectl 1.14.0 to 1.14.4 (fixed in v1.14.5)
  • Kubectl 1.15.0 to 1.15.1 (fixed in v1.15.2)

Fixes

You can upgrade the kubectl version to fix this vulnerability. For more information, see install and set up kubectl. Check the kubectl version after kubectl is installed.

  • If the kubectl version is 1.13.x, upgrade it to 1.13.9.
  • If the kubectl version is 1.14.x, upgrade it to 1.14.5.
  • If the kubectl version is 1.15.x, upgrade it to 1.15.2.
  • If your kubectl version is 1.12.x or an earlier version, upgrade it to 1.13.9, 1.14.5, or 1.15.2.