Container Service for Kubernetes has included a fix for CVE-2019-16276. This topic describes the impact of this vulnerability and how to fix it.

Background

Golang discovered a vulnerability named CVE-2019-16276. Kubernetes users can write a request header in a specific format to bypass the filter conditions in the authentication proxy, sending authenticated requests to the backend API server as other users or groups. Golang has fixed this vulnerability without delay. We recommend that you upgrade your Golang version.

For more information about CVE-2019-16276, see CVE-2019-16276.

Affected versions

Clusters that use an authenticating Proxy for authentication, and the authenticating proxy server is written in Go.

Fix

Upgrade Golang. For more information, see Install Go. You can download Golang 1.12.10 or 1.13.1 to recompile and deploy the authenticating proxy server. After Go is installed, you can run the go version command to check its version.