In addition to CVE-2019-1002101 and CVE-2019-11246, Kubernetes has recently discovered another security issue concerning the kubectl cp (copy) command. This vulnerability, CVE-2019-11251, allows attackers to perform a directory traversal by using a malicious TAR file to overwrite files under any path other than the target path on the host. The process is only limited by the system permissions of the local user.
Background
The kubectl cp command is used to copy files between containers and hosts. When you copy a file from a container to your host by running the kubectl cp command, Kubernetes performs the following three steps: creates a TAR file in the container, sends the file to your host, and then decompresses the file on your host.
If an attacker has permission to run the kubectl cp command, they can send a malicious TAR file to perform a directory traversal attack on your host.
To fix this vulnerability, kubectl 1.16.0 removes support for symbolic links in the kubectl cp
command. We recommend that you use kubectl exec + tar if you still need the symlink functionality. Earlier versions still support symlinks but unpack the symlinks after all the regular files have been decompressed.
Affected versions
You can run the kubectl version --client
command to check your kubectl version.
Affected versions are as follows:
- kubectl 1.0.x-1.12.x
- kubectl 1.13.0-1.13.10 (fixed in v1.13.11)
- kubectl 1.14.0-1.14.6 (fixed in v1.14.7)
- kubectl 1.15.0-1.15.3 (fixed in v1.15.4)
Impact
Attackers can use the kubectl cp
command to overwrite files under any path other than the target path on the host.
Fix
Upgrade kubectl. For more information, see Install and set up kubectl. Make sure to check the kubectl version after the installation.
- If your kubectl version is 1.13.x, upgrade it to 1.13.11. For more information, see https://github.com/kubernetes/kubernetes/pull/82503.
- If your kubectl version is 1.14.x, upgrade it to 1.14.7. For more information, see https://github.com/kubernetes/kubernetes/pull/82502.
- If your kubectl version is 1.15.x, upgrade it to 1.15.4. For more information, see https://github.com/kubernetes/kubernetes/pull/82384.
- If your kubectl version is 1.12.x or earlier, upgrade it to 1.13.11, 1.14.7, 1.15.4, or 1.16.0.