CVE-2019-11248

Kubernetes kubelet exposes /debug/pprof info on healthz port

Description

The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port. The go pprof endpoint is exposed over the Kubelet's healthz port. This debugging endpoint can potentially leak sensitive information such as internal Kubelet memory addresses and configuration, or for limited denial of service. Versions prior to 1.15.0, 1.14.4, 1.13.8, and 1.12.10 are affected. The issue is of medium severity, but not exposed by the default configuration.

Remediation

Workaround:

update node configurations to set the "healthzBindAddress" to "127.0.0.1" to prevent access by remote callers.

References

Link	Tags
https://github.com/kubernetes/kubernetes/issues/81023	third party advisory patch
https://groups.google.com/d/msg/kubernetes-security-announce/pKELclHIov8/BEDtRELACQAJ	third party advisory mailing list
https://security.netapp.com/advisory/ntap-20190919-0003/	third party advisory

Frequently Asked Questions

What is the severity of CVE-2019-11248?: CVE-2019-11248 has been scored as a high severity vulnerability.
How to fix CVE-2019-11248?: As a workaround for remediating CVE-2019-11248: update node configurations to set the "healthzBindAddress" to "127.0.0.1" to prevent access by remote callers.
Is CVE-2019-11248 being actively exploited in the wild?: It is possible that CVE-2019-11248 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~91% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2019-11248?: CVE-2019-11248 affects Kubernetes Kubernetes.

Description

Remediation

Categories

CWE-419 – Unprotected Primary Channel

CWE-862 – Missing Authorization

References

Frequently Asked Questions