Описание
Security changes in Kubernetes, etcd, and helm; Bugfix in cri-o package
= Required Actions
== Kubernetes & etcd (Security fixes)
This fix involves an upgrade of Kubernetes and some add-ons. See https://documentation.suse.com/suse-caasp/4.2/html/caasp-admin/_cluster_updates.html#_updating_kubernetes_components for the upgrade procedure.
== Skuba & helm/helm3
In order to update skuba and helm or helm 3, you need to update the management workstation. See detailed instructions at https://documentation.suse.com/suse-caasp/4.2/html/caasp-admin/_cluster_updates.html#_update_management_workstation
= Known Issues
Modifying the file /etc/sysconfig/kubelet directly is not supported: documentation at https://documentation.suse.com/suse-caasp/4.2/html/caasp-admin/_miscellaneous.html#_configuring_kubelet
Be sure to check the Release Notes at https://www.suse.com/releasenotes/x86_64/SUSE-CAASP/4/#_changes_in_4_2_4 for any additional known issues or behavioral changes.
Список пакетов
Container caasp/v4/coredns:1.6.7
Container caasp/v4/etcd:3.4.13
Container caasp/v4/helm-tiller:2.16.12
Container caasp/v4/hyperkube:v1.17.17
Container caasp/v4/kubernetes-client:1.17.17
Container caasp/v4/kucero:1.3.0
Container caasp/v4/kured:1.3.0
SUSE Linux Enterprise Module for Containers 15 SP1
Ссылки
- Link for SUSE-SU-2020:3760-1
- E-Mail link for SUSE-SU-2020:3760-1
- SUSE Security Ratings
- SUSE Bug 1174219
- SUSE Bug 1174951
- SUSE Bug 1176752
- SUSE Bug 1176753
- SUSE Bug 1176754
- SUSE Bug 1176755
- SUSE Bug 1177661
- SUSE Bug 1177662
- SUSE CVE CVE-2020-15106 page
- SUSE CVE CVE-2020-15112 page
- SUSE CVE CVE-2020-15184 page
- SUSE CVE CVE-2020-15185 page
- SUSE CVE CVE-2020-15186 page
- SUSE CVE CVE-2020-15187 page
- SUSE CVE CVE-2020-8565 page
- SUSE CVE CVE-2020-8566 page
Описание
In etcd before versions 3.3.23 and 3.4.10, a large slice causes panic in decodeRecord method. The size of a record is stored in the length field of a WAL file and no additional validation is done on this data. Therefore, it is possible to forge an extremely large frame size that can unintentionally panic at the expense of any RAFT participant trying to decode the WAL.
Затронутые продукты
Ссылки
- CVE-2020-15106
- SUSE Bug 1174951
Описание
In etcd before versions 3.3.23 and 3.4.10, it is possible to have an entry index greater then the number of entries in the ReadAll method in wal/wal.go. This could cause issues when WAL entries are being read during consensus as an arbitrary etcd consensus participant could go down from a runtime panic when reading the entry.
Затронутые продукты
Ссылки
- CVE-2020-15112
- SUSE Bug 1174951
Описание
In Helm before versions 2.16.11 and 3.3.2 there is a bug in which the `alias` field on a `Chart.yaml` is not properly sanitized. This could lead to the injection of unwanted information into a chart. This issue has been patched in Helm 3.3.2 and 2.16.11. A possible workaround is to manually review the `dependencies` field of any untrusted chart, verifying that the `alias` field is either not used, or (if used) does not contain newlines or path characters.
Затронутые продукты
Ссылки
- CVE-2020-15184
- SUSE Bug 1176755
Описание
In Helm before versions 2.16.11 and 3.3.2, a Helm repository can contain duplicates of the same chart, with the last one always used. If a repository is compromised, this lowers the level of access that an attacker needs to inject a bad chart into a repository. To perform this attack, an attacker must have write access to the index file (which can occur during a MITM attack on a non-SSL connection). This issue has been patched in Helm 3.3.2 and 2.16.11. A possible workaround is to manually review the index file in the Helm repository cache before installing software.
Затронутые продукты
Ссылки
- CVE-2020-15185
- SUSE Bug 1176754
Описание
In Helm before versions 2.16.11 and 3.3.2 plugin names are not sanitized properly. As a result, a malicious plugin author could use characters in a plugin name that would result in unexpected behavior, such as duplicating the name of another plugin or spoofing the output to `helm --help`. This issue has been patched in Helm 3.3.2. A possible workaround is to not install untrusted Helm plugins. Examine the `name` field in the `plugin.yaml` file for a plugin, looking for characters outside of the [a-zA-Z0-9._-] range.
Затронутые продукты
Ссылки
- CVE-2020-15186
- SUSE Bug 1176753
Описание
In Helm before versions 2.16.11 and 3.3.2, a Helm plugin can contain duplicates of the same entry, with the last one always used. If a plugin is compromised, this lowers the level of access that an attacker needs to modify a plugin's install hooks, causing a local execution attack. To perform this attack, an attacker must have write access to the git repository or plugin archive (.tgz) while being downloaded (which can occur during a MITM attack on a non-SSL connection). This issue has been patched in Helm 2.16.11 and Helm 3.3.2. As a possible workaround make sure to install plugins using a secure connection protocol like SSL.
Затронутые продукты
Ссылки
- CVE-2020-15187
- SUSE Bug 1176752
Описание
In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl. This affects <= v1.19.3, <= v1.18.10, <= v1.17.13, < v1.20.0-alpha2.
Затронутые продукты
Ссылки
- CVE-2020-8565
- SUSE Bug 1177661
Описание
In Kubernetes clusters using Ceph RBD as a storage provisioner, with logging level of at least 4, Ceph RBD admin secrets can be written to logs. This occurs in kube-controller-manager's logs during provisioning of Ceph RBD persistent claims. This affects < v1.19.3, < v1.18.10, < v1.17.13.
Затронутые продукты
Ссылки
- CVE-2020-8566
- SUSE Bug 1177662