The Kubernetes patch team has released new patches for two Kubernetes vulnerabilities CVE-2019-16276 and CVE-2019-11253.
According to security experts, each of the vulnerabilities can be “highly dangerous” under some Kubernetes configurations.
HTTP Protocol Violation in Go’s net/http Library (CVE-2019-16276)
The first vulnerability CVE-2019-16276 impacts the Go language’s standard HTTP library, net/http. This library is used for HTTP request parsing in Kubernetes, as well as provides HTTP client and server implementations.
CJ Cullen, on behalf of the Kubernetes Product Security Committee, posted a summary of the vulnerability in a security announcement:
“Go’s net/http library causes invalid headers to be normalized and interpreted as valid by an HTTP server. If a reverse proxy in front of a Go HTTP server allows and forwards but doesn’t normalize invalid headers, the Go server could interpret those headers differently than the reverse proxy.”
In addition, researchers from Palo Alto Networks provided more detailed analysis on how to exploit the vulnerability. For instance, attackers could send a request “X-Remote-User : admin” to the proxy.
“If the proxy is designed to filter X-Remote-User headers but doesn’t recognize the header because it’s invalid and forwards it to the Kubernetes API server, the attacker would successfully pass the API request with the roles of the ‘admin’ user,” the researchers noted.
YAML parser library vulnerability (CVE-2019-11253)
The second vulnerability, CVE-2019-11253, impacts Kubernetes API server and YAML parser library. As a consequence, an attacker could could exploit the issue to cause denial of service.
Although Kubernetes issued a patch, developers also patched the issue in go-yaml library level. The updates help prevent similar attacks on other projects using the same code.
Kubernetes released new build versions 1.14.8, 1.15.5 and 1.16.2 to fix each of the two vulnerabilities. Users and organizations are highly recommended to upgrade as soon as possible.