v1.11.10-lts.1
2 minute read
This is the first fixed release by KLTS for v1.11.10.
Patches
- CVE-2019-11245
Containers for pods that do not specify an explicit runAsUser attempt to run as uid 0 (root) on container restart, or if the image was previously pulled to the node.
- CVE-2019-11246
This vulnerability may allow an attacker to use the
kubectl cp
command to write malicious files in the containertar
package to any path on the host using Path Traversal. This process is limited only by the system permissions of the local user. - CVE-2019-11247
API Server
mistakenly allows access to a cluster-scoped custom resource. - CVE-2019-11248
The debugging endpoint
/debug/pprof
is exposed over the unauthenticated Kubelet healthz port. - CVE-2019-11249
This vulnerability may allow an attacker to use the
kubectl cp
command to write malicious files in the containertar
package to any path on the host using Path Traversal. This process is limited only by the system permissions of the local user. - CVE-2019-11251
This vulnerability may allow an attacker to use the
kubectl cp
command to write malicious files in the containertar
package to any path on the host using Path Traversal. This process is limited only by the system permissions of the local user. - CVE-2020-8552
This vulnerability may make the
API Server
vulnerable to aDoS
(Denial of Service) attack caused by successfulAPI
requests. - CVE-2020-8558
The
kube-proxy
component was found to set the kernel parameternet.ipv4.conf.all.route_localnet=1
in bothiptables
andipvs
modes to allow local loopback access. An attacker may use the container sharing the host network, or bind and listen to the TCP/UDP service of the local127.0.0.1
on the cluster node to access the same LAN or adjacent node under the second layer network to obtain interface information. If your service does not set the necessary security certification, it may cause the risk of information leakage. - TODO CVE-2020-8559
This is a security vulnerability of the
kube-apiserver
component. An attacker can intercept certain upgrade requests sent to the nodekubelet
, and forward the request to other target nodes through the original access credentials in the request that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise. - CVE-2021-3121
A program with this vulnerability may crash because of processing some messages that contain malicious
Protobuf
. If the version ofGogo Protobuf
you are using is too low, this vulnerability may exist. - nokmem
The node has sufficient disks, but it keeps reporting that the disk is insufficient to create a Pod.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.