Vulnerability Name:

CVE-2019-11245 (CCN-161858)

Assigned:2019-05-25
Published:2019-05-25
Updated:2019-09-19
Summary:In kubelet v1.13.6 and v1.14.2, containers for pods that do not specify an explicit runAsUser attempt to run as uid 0 (root) on container restart, or if the image was previously pulled to the node. If the pod specified mustRunAsNonRoot: true, the kubelet will refuse to start the container as root. If the pod did not specify mustRunAsNonRoot: true, the kubelet will run the container as uid 0.
CVSS v3 Severity:7.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
6.9 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:R)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
4.9 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)
4.3 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:U/RC:R)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:4.6 Medium (CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
3.7 Low (CCN CVSS v2 Vector: AV:L/AC:H/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-264
Vulnerability Consequences:Gain Privileges
References:Source: MITRE
Type: CNA
CVE-2019-11245

Source: XF
Type: UNKNOWN
kubernetes-cve201911245-priv-esc(161858)

Source: CCN
Type: kubernetes GIT Repository
CVE-2019-11245: v1.14.2, v1.13.6: container uid changes to root after first restart or if image is already pulled to the node #78308

Source: CONFIRM
Type: Exploit, Patch, Third Party Advisory
https://github.com/kubernetes/kubernetes/issues/78308

Source: CCN
Type: oss-sec Mailing List, Thu, 30 May 2019 14:57:25 -0700
[ANNOUNCE] Security regression in Kubernetes kubelet v1.13.6 and v1.14.2 only - CVE-2019-11245

Source: CONFIRM
Type: UNKNOWN
https://security.netapp.com/advisory/ntap-20190919-0003/

Source: CCN
Type: IBM Security Bulletin 1165828 (Cloud Private)
A Security Vulnerability affects IBM Cloud Private Kubernetes (CVE-2019-11245)

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2019-11245

Vulnerable Configuration:Configuration 1:
  • cpe:/a:kubernetes:kubernetes:1.13.6:*:*:*:*:*:*:*
  • OR cpe:/a:kubernetes:kubernetes:1.14.2:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:ibm:cloud_private:3.2.0:cd:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:com.ubuntu.cosmic:def:2019112450000000
    V
    		CVE-2019-11245 on Ubuntu 18.10 (cosmic) - medium.
    2019-06-03
    BACK
    kubernetes kubernetes 1.13.6
    kubernetes kubernetes 1.14.2
    ibm cloud private 3.2.0 cd