Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2020-8565: Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9 #95623

Closed
sfowl opened this issue Oct 15, 2020 · 3 comments
Closed

CVE-2020-8565: Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9 #95623

sfowl opened this issue Oct 15, 2020 · 3 comments
Labels
area/security committee/security-response Denotes an issue or PR intended to be handled by the product security committee. kind/bug Categorizes issue or PR as related to a bug. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC)

Comments

@sfowl
Copy link
Contributor

sfowl commented Oct 15, 2020
edited
Loading

CVSS Rating: 4.7 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N (Medium)

In Kubernetes, if the logging level is to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl.

Am I vulnerable?

If kube-apiserver is using a log level of at least 9.

Affected Versions

kubernetes v1.19.0 - v1.19.5
kubernetes v1.18.0 - v1.18.13
kubernetes v1.17.0 - v1.17.15

How do I mitigate this vulnerability?

Do not enable verbose logging in production, limit access to logs.

Fixed Versions

kubernetes v1.20.0
kubernetes v1.19.6
kubernetes v1.18.14
kubernetes v1.17.16

To upgrade, refer to the documentation: https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster

Acknowledgements

This vulnerability was reported by: Patrick Rhomberg (purelyapplied)

/area security
/kind bug
/committee product-security
@sfowl sfowl added the kind/bug Categorizes issue or PR as related to a bug. label Oct 15, 2020
@k8s-ci-robot k8s-ci-robot added area/security committee/security-response Denotes an issue or PR intended to be handled by the product security committee. labels Oct 15, 2020
@k8s-ci-robot
Copy link
Contributor

@sfowl: This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Oct 15, 2020
@sfowl
Copy link
Contributor Author

sfowl commented Oct 15, 2020

Fixed by #95316

@sfowl sfowl closed this as completed Oct 15, 2020
@tengqm tengqm mentioned this issue Oct 20, 2020
Closed
@RTann RTann mentioned this issue Oct 29, 2020
Merged
@github-actions github-actions bot mentioned this issue Nov 3, 2020
Open
@mend-bolt-for-github mend-bolt-for-github bot mentioned this issue Dec 9, 2020
Closed
@mend-for-github-com mend-for-github-com bot mentioned this issue Jan 8, 2021
Open
@PushkarJ
Copy link
Member

PushkarJ commented Dec 2, 2021

/label official-cve-feed

(Related to kubernetes/sig-security#1)

@k8s-ci-robot k8s-ci-robot added the official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) label Dec 2, 2021
@joe-kimmel-vmw joe-kimmel-vmw mentioned this issue Dec 3, 2021
Closed
1 task
@dev-mend-for-github-com dev-mend-for-github-com bot mentioned this issue Apr 7, 2022
Open
@k8s-sec-alert k8s-sec-alert mentioned this issue Sep 18, 2022
Open
@pdeslaur pdeslaur mentioned this issue Aug 27, 2023
Merged
This was referenced May 7, 2024
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/security committee/security-response Denotes an issue or PR intended to be handled by the product security committee. kind/bug Categorizes issue or PR as related to a bug. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@PushkarJ @sfowl @k8s-ci-robot