Rapid7 Vulnerability & Exploit Database

Oracle Linux: ELSA-2020-5654: kubernetes kubeadm-ha-setup kubeadm-upgrade security update

Back to Search

Oracle Linux: ELSA-2020-5654: kubernetes kubeadm-ha-setup kubeadm-upgrade security update

Severity
4
CVSS
(AV:L/AC:M/Au:N/C:P/I:P/A:P)
Published
04/17/2020
Created
04/21/2020
Added
04/18/2020
Modified
04/18/2020

Description

kubernetes [1.12.10-1.0.11] - [CVE-2019-11254] kube-apiserver Denial of Service vulnerability from malicious YAML payloads [1.12.10-1.0.10] - [CVE-2019-16276] Kubernetes Vulnerabilities Allow Authentication Bypass, DoS [1.12.10-1.0.9] - Define rolling update for flannel [1.12.10-1.0.8] - Modify flannel/dashboard image tags to use images that have the cve fix [1.12.10-1.0.7] - [CVE-2019-11253] Kubernetes API Server JSON/YAML parsing vulnerable to resource exhaustion attack [1.12.10-1.0.6] - [CVE-2019-16276] bump golang to 1.12.10 [1.12.10-1.0.5] - added THIRD_PARTY_LICENSES.txt file [1.12.10-1.0.4] - fix for CVE-2019-11251 [1.12.10-1.0.3] - replacing references to kubernetes-dashboard-amd64 with kubernetes-dashboard [1.12.10-1.0.2] - Added Oracle specific build files for Kubernetes kubeadm-ha-setup [0.0.2-1.0.69] - [CVE-2019-11254] kube-apiserver Denial of Service vulnerability from malicious YAML payloads [0.0.2-1.0.68] - Pull image prior to update and fix image repo for addons [0.0.2-1.0.67] - Bump golang build version [0.0.2-1.0.66] - [CVE-2019-16276] Support patching flannel/dashboard on upgrade [0.0.2-1.0.65] - [CVE 2019-16276] Support deploygin 1.12 and 1.13 with CVE patched [0.0.2-1.0.64] - [CVE-2019-16276] Support patching etcd on upgrade [0.0.2-1.0.63] - [CVE-2019-16276] while upgrading a cluster patch the coredns image [0.0.2-1.0.62] - CVE-2019-16276 : Update flannel , etcd coredns and dashboard images. [0.0.2-1.0.61] - Added Support for 1.13.11 and removed support for 1.13.10 [0.0.2-1.0.59] - Remove Support for 1.14.6 [0.0.2-1.0.58] - Replacing reference to kubernetes-dashboard-amd64 with kubernetes-dashboard [0.0.2-1.0.57] - Support 1.12.10 [0.0.2-1.0.56] - Support 1.14.6 [0.0.2-1.0.55] - Support 1.13.10 [0.0.2-1.0.54] - Support 1.13.9 [0.0.2-1.0.53] - Mark 1.14 as a developer build [0.0.2-1.0.52] - Restore fails when trying to restore after a failed update [0.0.2-1.0.51] - Minor version update doesn't update kubeadm on all master nodes [0.0.2-1.0.50] - Make k8s 1.14 specific changes [0.0.2-1.0.49] - Remove 1.10 and 1.11 version since they are incompatable [0.0.2-1.0.48] - Support deploying 5 master nodes [0.0.2-1.0.47] - Only update/upgrade the controlplane images if they changed in the Release object [0.0.2-1.0.46] - Fix version comparison function during upgrade [0.0.2-1.0.45] - Fix rpm version compare - Allow kubernetes updates for patch version [0.0.2-1.0.44] - Allow assume yes to deploy a single master without the prompt [0.0.2-1.0.43] - Post cluster creation should check only for master nodes [0.0.2-1.0.42] - Update keepalived check api server to ensure we are grepping the correct IP [0.0.2-1.0.41] - Make ha.yaml an optional argument in the cli for single master cluster [0.0.2-1.0.40] - Add pod cidr default and refactor ha.yaml example [0.0.2-1.0.39] - Remove features: feature1_13=true from config [0.0.2-1.0.38] - Default kubernetes version to latest production version [0.0.2-1.0.37] - Fix keepalived issue when firewalld is disable [0.0.2-1.0.36] - Default kubernetes version to latest production version [0.0.2-1.0.35] - Add addons template and config files [0.0.2-1.0.34] - Enhance tests [0.0.2-1.0.33] - fix regression of previous firewall fix [0.0.2-1.0.32] - Fix firewall issues during restore [0.0.2-1.0.31] - Fix firewall issues [0.0.2-1.0.30] - Enhance output while validating the system [0.0.2-1.0.29] - Fix DR in 1.13 [0.0.2-1.0.28] - Fix apiserver_cert_extra_sans for 1.13 clusters [0.0.2-1.0.27] - Fix update/upgrade output message [0.0.2-1.0.26] - Fix major upgrade [0.0.2-1.0.25] - Add registry migration [0.0.2-1.0.24] - Return stdout and stderr from Run function to allow the caller decided what to display [0.0.2-1.0.23] - Proxy variable is inherited in remote master [0.0.2-1.0.22] - The Trim function doesn't work for replacing strings - Upgrade should use the pause container instead of pause-amd64 [0.0.2-1.0.21] - Include 1.12.7 image and update 1.13 and metric servers info [0.0.2-1.0.20] - Support new registries and allow for password to have a colon [0.0.2-1.0.19] - --force flag for full restore [0.0.2-1.0.18] - Change update help message [0.0.2-1.0.17] - Change update message, add ha install command and ask for confirmation [0.0.2-1.0.16] - Change upgrade command name to update [0.0.2-1.0.15] - Fix upgrade for point release [0.0.2-1.0.14] - Move file.go to config.go [0.0.2-1.0.13] - Feature Flag 1.13 code [0.0.2-1.0.12] - Add support of upgrading HA master nodes [0.0.2-1.0.11] - Support deploying Kubernetes version 1.13.2 [0.0.2-1.0.10] - CVE-2018-16875 [0.0.2-1.0.9] - Add timeout to Run() (gitlab issues #3) - Rename path to linux-git.us.oracle.com/Kubernetes [0.0.2-1.0.8] - Remove releases.json dependency [0.0.2-1.0.7] - Pin dependent kubernetes packages [0.0.2-1.0.6] - Update deps for kube 1.13 [0.0.2-1.0.5] - Add test runner in makefile and execute it in CI/CD [0.0.2-1.0.4] - Fix backup path issue again found by Tom Cocozzello [0.0.2-1.0.3] - [Orabug 29152516] Backup and restore /var/lib/kubelet/kubeadm-flags.env too - Cleanup kube-ipvs0 interface too - More code cleanup - Use map for checking kernel module - Fix client joining errors - Addressing Tom Cocozzello's review - Enabling IPVS in HA [0.0.2-1.0.2] - Update dashboard image (CVE-2018-18264) [0.0.2-1.0.1] - Allow Oracle certified addons to be installed via cli [0.0.1-2.0.9] - Use 'dep ensure' to clean up symlinks in the vendor directory [0.0.1-2.0.5] - Clean up un-used build scripts [0.0.1-2.0.4] - Add Makefile for building and testing code [0.0.1-2.0.3] - Fix file restore issue when it contains './' [0.0.1-2.0.2] - Resolve the full filepath when '.' is passed in - Addressing review by Muminul Islam [0.0.1-2.0.1] - Remove 'firewall-cmd --reload' as it can hangs OCI - Fix some errors reported by Shubham - Error out if options is not currently supported in HandleEtcdOps - Fix down issue - Dump log output to /var/log/kubeadm-ha-setup [0.0.1-1.0.37] - Fix kubernetes version - Include log printing when error occurs - Fix client.go regression due to new down function [0.0.1-1.0.36] - Remove Godeps, using dep for now - Check if image is not set before referencing - Rename getEtcdConfigV2 to getEtcdConfig - Adding down functionality - Update ha.yaml file [0.0.1-1.0.35] - Removing etcd.go - Addressing Tom Cocozzello review - [Orabug 28977571] [0.0.1-1.0.34] - Enabling full restore on HA master and single master - Cleanup - Enable single master backup - Double the context request timeout - Implement retryable AddMember [0.0.1-1.0.33] - Modified DR for One node case to use new etcd API - Enhanced the helper scripts such that it will error out - HealthCheck re-implementation [0.0.1-1.0.32] - Update dashboard image [0.0.1-1.0.31] - Needs to be run as a privileged user - Enable CoreDNS as default [0.0.1-1.0.30] - Enable single master setup [0.0.1-1.0.29] - Redesigned for setting up v1.12 HA clusters [0.0.1-1.0.28] - Fixes for v1.11 - Addressing Laszlo Peter review - Addressing Daniel Krasinski review [0.0.1-1.0.27] - Fix build failure - Add UPL LICENSE - Fix the usage of defer - Re-try when docker pull image gets a timeout - Refactor SetupCreds() - Remove --force flag for restore - When something fail, we should lenghten the timeout time [0.0.1-1.0.26] - When context timed out catch it and print stdout, stderr [0.0.1-1.0.25] - Check output from docker client and probe for error [0.0.1-1.0.24] - Properly parse if repo has a special ':' character [0.0.1-1.0.23] - Checking the total nodes would be better implementation - Fixup etcd add member errors [0.0.1-1.0.22] - Pod count could be >= 20 - Remove port 30000-32767/tcp check for client node - Querying k8s cluster health instead of etcd for backup - Cosmestic fix - Etcd one node restore problems [0.0.1-1.0.21] - Check whether repo needs auth even in one node restore case - Fixup the restore script - docker pull image change in behavior in 18.03 - Include client side image repo checking too - Provide a full repo path for comparison - Make kubernetes_developer as the sample repo - Use strings.Contains to compare strings - Fix README - Initial README - Include changes in kube.go [0.0.1-1.0.20] - In OCI LB can takes time to setup properly - Fix random string - [Orabug 28445064] - Replace RunCmdExec() with just Run() - Sanity check for # of master - Make kubeadm token default to be random [0.0.1-1.0.19] - Check if docker exec etcd returns Error - Check env first before trying to pull image - [Orabug 28461826] [0.0.1-1.0.18] - Fixing LB, kubelet, kubectl-proxy - Add a DEBUG flag for more verbose output [0.0.1-1.0.17] - Don't loop forever in client, make Run() more consistent in master - Fixup LB for OCI - Add apiserver-bind-port capability [0.0.1-1.0.17] - Include apiserver_cert_extra_sans and service_cidr [0.0.1-1.0.16] - Include restoring keepalived for one and full restore - For Full Restore we need to first clean up before anything else - Clean up DR, make backup check etcd health first - Properly clean-up flannel.1 and cni0 [0.0.1-1.0.15] - DR code cleanup - Changed permission on the created dir to 0755 - Fix filename not found error [0.0.1-1.0.14] - Don't panic() - In One node restore case verify the ca.crt MD5SUM - Full DR feature - Redesign of the DR - Include file and its line number for logging - Put the binary full path - Re-arrange varibles for ssh.go - Separate etcd cli to another file (etcd.go) - Addition to kubectl cli - Check if MyIP for local node is missing/empty [0.0.1-1.0.13] - Replace binary names - Include the ability to re-try master setup [0.0.1-1.0.12] - Renamed the whole REPO to kubeadm-ha-setup - Don't print out more logs as necessary [0.0.1-1.0.12] - Enhance ssh/sftp code [0.0.1-1.0.11] - Change the storePath - Include keepalived backup and change backup.sh/restore.sh [0.0.1-1.0.10] - Continuing on the restore part - Make the script to query all KUBEDIR directory from a single file - Consolidate KUBEDIR - Make systemd related file 0644 [0.0.1-1.0.9] - Fixup the hardcoded directory as such we are reading from only limited source - Include the Docker API for restore - Initial implementation of DR [0.0.1-1.0.8] - Fixup kubeadm-setup join - systemctl enable kubelet [0.0.1-1.0.7] - Fix LoadBalancer to take care of extra steps [0.0.1-1.0.6] - Cleanup some stdout - Add token field in ha.yaml for ease of automated setup [0.0.1-1.0.5] - If Loadbalancer is preferred/used [0.0.1-1.0.4] - Remove goroutine sleep - unnecessary - Provides structure to store required files and cert files - Fix merge errors [0.0.1-1.0.3] - Create /run/kubeadm w-w/o --skip [0.0.1-1.0.2] - NoHA and LoadBalancer [0.0.1-1.0.1] - Initial build kubeadm-upgrade [0.0.1-1.0.28] -- [CVE-2019-11254] kube-apiserver Denial of Service vulnerability from malicious YAML payloads [0.0.1-1.0.27] -- [CVE-2019-16276] Kubernetes Vulnerabilities Allow Authentication Bypass, DoS [0.0.1-1.0.26] -- Create log folder before any log write or error exit [ orabug: 29806186 ] [0.0.1-1.0.25] -- Enforce exit on errors [0.0.1-1.0.24] -- Dashboard yaml location was moved in Kubernetes 1.12.7 [0.0.1-1.0.23] -- Detect latest kubernetes version from yum [0.0.1-1.0.22] -- Bump up 1.12.7 version for coredns fix [0.0.1-1.0.21] -- CVE-2019-9946 [0.0.1-1.0.20] -- CVE-2019-1002101 [0.0.1-1.0.19] -- Bump up 1.12.6 version [0.0.1-1.0.18] -- Upgrade from 1.9 to 1.12 fails [0.0.1-1.0.17] -- Update the Kubernetes version to include the conntrack fix [0.0.1-1.0.16] -- CVE-2019-1002100 [0.0.1-1.0.15] -- CVE-2018-1002105 [0.0.1-1.0.14] -- Fix kube version for 1.10.5 [0.0.1-1.0.13] -- Updating 1.10 and 1.11 version for CVE fixes -- Include flannel and dashboard upgrade [0.0.1-1.0.12] -- Upgrade to 1.12.5-2.1.1 [0.0.1-1.0.11] -- Upgrade to 1.12.5 [0.0.1-1.0.10] -- Add license info to the script [0.0.1-1.0.9] -- Add license file [0.0.1-1.0.8] -- Fix the bug on number of CPU checking [0.0.1-1.0.7] -- Use install instead of update for a specifc 1.12 version [0.0.1-1.0.6] -- Upgrade cluster to 1.12.3-* version only [0.0.1-1.0.5] -- Add exit handler to gather logs on failure [0.0.1-1.0.4] -- Enhance logging and check return code after kubeadm apply. Checking CPU and Memory of the system [0.0.1-1.0.3] -- Change REPO_PREFIX to use a single repo, increased timeout during cluster health check [0.0.1-1.0.2] -- Added comments and fix rpm name [0.0.1-1.0.1] - Upgrade to 1.12.3

Solution(s)

  • oracle-linux-upgrade-kubeadm
  • oracle-linux-upgrade-kubeadm-ha-setup
  • oracle-linux-upgrade-kubeadm-upgrade
  • oracle-linux-upgrade-kubectl
  • oracle-linux-upgrade-kubelet
  • oracle-linux-upgrade-kubernetes

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;