August 6, Kubernetes released three new versions of patches to fix newly discovered two security vulnerabilities CVE-2019-11247 and CVE-2019-11249. Rancher rapid response, also published in the August 7 latest version Rancher v2.2.7, support for the newly released patch version Kubernetes, and contains fixes for CVE newly Rancher, as well as function and optimization.
Kubernetes CVE and repair version
Kubernetes three versions of the new release are:
v1.13.9
v1.14.5
v1.15.2
Fixed a loophole in the new version:
CVE-2019-11247:
Due to the vulnerability API Server allows an error range of access custom resources. Kubernetes version affected by the vulnerability include:
Kubernetes 1.7.x-1.12.x
Kubernetes 1.13.0-1.13.8
Kubernetes 1.14.0-1.14.4
Kubernetes 1.15.0-1.15.1
CVE-2019-11249:
CVE-2019-1002101 and CVE-2019-11246 repair is not complete, this vulnerability can cause malicious container will have permission to use kubectl cp operation on the client create or replace files on the client computer. Kubernetes version affected by the vulnerability include:
Kubernetes 1.0.x-1.12.x
Kubernetes 1.13.0-1.13.8
Kubernetes 1.14.0-1.14.4
Kubernetes 1.15.0-1.15.1
For your security cluster, we recommend that you upgrade repair Kubernetes cluster version of the new release, more details about CVE, see:
https://groups.google.com/forum/#!topic/kubernetes-security-announce/vUtEcSEY6SM
Rancher 2.2.7 released
Today, Rancher Labs released a new version of Rancher v2.2.7, this version supports patch version Kubernetes on August 6 issued (v1.13.9, v1.14.5, v1.15.2). Meanwhile, Rancher v2.2.7 also fixes a recently discovered security vulnerability CVE-2019-14435 and CVE-2019-14436.
Currently, Rancher's Latest and Stable version information is as follows:
Meanwhile, Rancher Labs official also released v2.1.12, for not yet upgraded to Rancher 2.2.x users. This version supports only temporarily Rancher Kubernetes v1.13.9.
In addition, Rancher v2.2.7 and v2.1.12 also fixes CVE two recent Rancher found:
-2019-14435 CVE : Due to the vulnerability, the container system services authenticated user may be able to be used from the available IP Rancher extracts other private data, including but not limited Yuzhu metadata service provider cloud services like. Although Rancher user can configure a whitelist domains for system service access, but still a malicious user via HTTP requests designed to exploit this flaw. This vulnerability was discovered by Workiva's Matt Belile and Alex Stevenson and reports.
2019-14436-CVE : through this vulnerability, originally only a member of a role permissions "Project Owner" (even less binding authority in terms of the role of editor members), will be able to grant themselves a higher cluster level role in order to gain administrative rights to the cluster. This vulnerability discovered and reported by Nokia Corporation Michal Lipinski.
Please note:
Rancher 1.6.x users from Kubernetes these two security vulnerability, because it does not support Kubernetes Rancher 1.6.x versions are affected by these vulnerabilities.
About Rancher 2.0.x users:
Rancher 1.6.x Similarly, Rancher 2.0.x does not support the above Kubernetes version, and therefore not subject Kubernetes two security vulnerability.
And about two vulnerabilities Rancher, as shown Rancher Terms of Service page, Rancher 2.0.x EOM is currently in its product life cycle to support EOL stage. Therefore, Rancher no plans to release the official version v2.0.x patches to fix CVE-2019-14435 and CVE-2019-14436. For Rancher enterprise subscription customers , if you have special circumstances, need to fix two vulnerabilities in v2.0.x versions, please contact Rancher's technical support team. Or, in the EOL date v2.0.x before (November 1, 2019), will be upgraded to the latest version of your Rancher.
Function and Optimization
Added support for the Docker 19.03
Added backup path setting function s3
Download and Upgrade
You can Rancher GitHub page to read the full Rancher 2.2.7 Release Note, download the latest version, or to learn more about the upgrade rollback considerations.
GitHub link:
https://github.com/rancher/rancher/releases