The vulnerability CVE-2019-11246 related to kubectl cp was exposed several months ago. Kubernetes recently announced another vulnerability CVE-2019-11249 related to kubectl cp. This vulnerability provides attackers with the opportunity to write malicious files saved in a TAR package into any paths on your host through directory traversal by running the kubectl cp command. This process is only restricted by the system permissions of the current user.

Background information

The kubectl cp command is used to copy files between containers and hosts. If you copy a file from a container to your host by running the kubectl cp command, Kubernetes performs the following three steps: creates a TAR file inside the container, sends the file to your host, and then decompresses the file on your host.

If an attacker has permission to run the kubectl cp command and the TAR package contains malicious files, the attacker can perform directory traversal.

With this vulnerability fixed, the kubectl cp command performs more rigorous verification on the target paths of all files during the TAR package decompression. Copying decompressed files to any paths that are not the destination directory of the kubectl cp operation is not allowed.

For more information about security issues caused by this vulnerability, see Kubernetes security announcement.

For more information about the vulnerability PR, visit https://github.com/kubernetes/kubernetes/pull/80436/.

Vulnerable versions

You can view the kubectl versions by running the kubectl version --client command.

The following list describes the vulnerable versions:

  • Kubectl 1.0.x-1.12.x
  • Kubectl 1.13.0-1.13.8 (fixed in v1.13.9)
  • Kubectl 1.14.0-1.14.4 (fixed in v1.14.5)
  • Kubectl 1.15.0-1.15.1 (fixed in v1.15.2)

Solution

To fix this vulnerability, you must upgrade the kubectl and check the kubectl version. For more information, see Install and set up kubectl.

  • If your kubectl version is 1.13.x, upgrade it to 1.13.9.
  • If your kubectl version is 1.14.x, upgrade it to 1.14.5.
  • If your kubectl version is 1.15.x, upgrade it to 1.15.2.
  • If your kubectl version is 1.12.x or an earlier version, upgrade it to 1.13.9, 1.14.5, or 1.15.2.