Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.ORACLELINUX_ELSA-2019-4816.NASL
HistorySep 07, 2023 - 12:00 a.m.

Oracle Linux 7 : kubernetes (ELSA-2019-4816)

2023-09-0700:00:00
This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
5
JSON

The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2019-4816 advisory.

  • In Kubernetes v1.8.x-v1.14.x, schema info is cached by kubectl in the location specified by --cache-dir (defaulting to $HOME/.kube/http-cache), written with world-writeable permissions (rw-rw-rw-). If --cache- dir is specified and pointed at a different location accessible to other users/groups, the written files may be modified by other users/groups and disrupt the kubectl invocation. (CVE-2019-11244)

  • Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
    (CVE-2019-9512)

  • The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes runs tar inside the container to create a tar archive, copies it over the network, and kubectl unpacks it on the user’s machine. If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on the user’s machine when kubectl cp is called, limited only by the system permissions of the local user. Kubernetes affected versions include versions prior to 1.12.9, versions prior to 1.13.6, versions prior to 1.14.2, and versions 1.1, 1.2, 1.4, 1.4, 1.5, 1.6, 1.7, 1.8, 1.9, 1.10, 1.11. (CVE-2019-11246)

  • The Kubernetes kubectl cp command in versions 1.1-1.12, and versions prior to 1.13.11, 1.14.7, and 1.15.4 allows a combination of two symlinks provided by tar output of a malicious container to place a file outside of the destination directory specified in the kubectl cp invocation. This could be used to allow an attacker to place a nefarious file using a symlink, outside of the destination tree. (CVE-2019-11251)

  • The Kubernetes kube-apiserver mistakenly allows access to a cluster-scoped custom resource if the request is made as if the resource were namespaced. Authorizations for the resource accessed in this manner are enforced using roles and role bindings within the namespace, meaning that a user with access only to a resource in one namespace could create, view update or delete the cluster-scoped resource (according to their namespace role privileges). Kubernetes affected versions include versions prior to 1.13.9, versions prior to 1.14.5, versions prior to 1.15.2, and versions 1.7, 1.8, 1.9, 1.10, 1.11, 1.12. (CVE-2019-11247)

  • The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes runs tar inside the container to create a tar archive, copies it over the network, and kubectl unpacks it on the user’s machine. If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on the user’s machine when kubectl cp is called, limited only by the system permissions of the local user. Kubernetes affected versions include versions prior to 1.13.9, versions prior to 1.14.5, versions prior to 1.15.2, and versions 1.1, 1.2, 1.4, 1.4, 1.5, 1.6, 1.7, 1.8, 1.9, 1.10, 1.11, 1.12.
    (CVE-2019-11249)

  • Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling. (CVE-2019-16276)

  • Improper input validation in the Kubernetes API server in versions v1.0-1.12 and versions prior to v1.13.12, v1.14.8, v1.15.5, and v1.16.2 allows authorized users to send malicious YAML or JSON payloads, causing the API server to consume excessive CPU or memory, potentially crashing and becoming unavailable.
    Prior to v1.14.0, default RBAC policy authorized anonymous users to submit requests that could trigger this vulnerability. Clusters upgraded from a version prior to v1.14.0 keep the more permissive policy by default for backwards compatibility. (CVE-2019-11253)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Oracle Linux Security Advisory ELSA-2019-4816.
##

include('compat.inc');

if (description)
{
  script_id(180704);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/09/08");

  script_cve_id(
    "CVE-2019-9512",
    "CVE-2019-11244",
    "CVE-2019-11246",
    "CVE-2019-11247",
    "CVE-2019-11249",
    "CVE-2019-11251",
    "CVE-2019-11253",
    "CVE-2019-16276"
  );
  script_xref(name:"CEA-ID", value:"CEA-2019-0643");

  script_name(english:"Oracle Linux 7 : kubernetes (ELSA-2019-4816)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Oracle Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the
ELSA-2019-4816 advisory.

  - In Kubernetes v1.8.x-v1.14.x, schema info is cached by kubectl in the location specified by --cache-dir
    (defaulting to $HOME/.kube/http-cache), written with world-writeable permissions (rw-rw-rw-). If --cache-
    dir is specified and pointed at a different location accessible to other users/groups, the written files
    may be modified by other users/groups and disrupt the kubectl invocation. (CVE-2019-11244)

  - Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The
    attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of
    responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
    (CVE-2019-9512)

  - The kubectl cp command allows copying files between containers and the user machine. To copy files from a
    container, Kubernetes runs tar inside the container to create a tar archive, copies it over the network,
    and kubectl unpacks it on the user's machine. If the tar binary in the container is malicious, it could
    run any code and output unexpected, malicious results. An attacker could use this to write files to any
    path on the user's machine when kubectl cp is called, limited only by the system permissions of the local
    user. Kubernetes affected versions include versions prior to 1.12.9, versions prior to 1.13.6, versions
    prior to 1.14.2, and versions 1.1, 1.2, 1.4, 1.4, 1.5, 1.6, 1.7, 1.8, 1.9, 1.10, 1.11. (CVE-2019-11246)

  - The Kubernetes kubectl cp command in versions 1.1-1.12, and versions prior to 1.13.11, 1.14.7, and 1.15.4
    allows a combination of two symlinks provided by tar output of a malicious container to place a file
    outside of the destination directory specified in the kubectl cp invocation. This could be used to allow
    an attacker to place a nefarious file using a symlink, outside of the destination tree. (CVE-2019-11251)

  - The Kubernetes kube-apiserver mistakenly allows access to a cluster-scoped custom resource if the request
    is made as if the resource were namespaced. Authorizations for the resource accessed in this manner are
    enforced using roles and role bindings within the namespace, meaning that a user with access only to a
    resource in one namespace could create, view update or delete the cluster-scoped resource (according to
    their namespace role privileges). Kubernetes affected versions include versions prior to 1.13.9, versions
    prior to 1.14.5, versions prior to 1.15.2, and versions 1.7, 1.8, 1.9, 1.10, 1.11, 1.12. (CVE-2019-11247)

  - The kubectl cp command allows copying files between containers and the user machine. To copy files from a
    container, Kubernetes runs tar inside the container to create a tar archive, copies it over the network,
    and kubectl unpacks it on the user's machine. If the tar binary in the container is malicious, it could
    run any code and output unexpected, malicious results. An attacker could use this to write files to any
    path on the user's machine when kubectl cp is called, limited only by the system permissions of the local
    user. Kubernetes affected versions include versions prior to 1.13.9, versions prior to 1.14.5, versions
    prior to 1.15.2, and versions 1.1, 1.2, 1.4, 1.4, 1.5, 1.6, 1.7, 1.8, 1.9, 1.10, 1.11, 1.12.
    (CVE-2019-11249)

  - Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling. (CVE-2019-16276)

  - Improper input validation in the Kubernetes API server in versions v1.0-1.12 and versions prior to
    v1.13.12, v1.14.8, v1.15.5, and v1.16.2 allows authorized users to send malicious YAML or JSON payloads,
    causing the API server to consume excessive CPU or memory, potentially crashing and becoming unavailable.
    Prior to v1.14.0, default RBAC policy authorized anonymous users to submit requests that could trigger
    this vulnerability. Clusters upgraded from a version prior to v1.14.0 keep the more permissive policy by
    default for backwards compatibility. (CVE-2019-11253)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/errata/ELSA-2019-4816.html");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-11247");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/04/22");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/01/31");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/09/07");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kubeadm");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kubeadm-ha-setup");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kubeadm-upgrade");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kubectl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kubelet");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Oracle Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/local_checks_enabled");

  exit(0);
}


include('rpm.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');
var os_release = get_kb_item("Host/RedHat/release");
if (isnull(os_release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:os_release)) audit(AUDIT_OS_NOT, 'Oracle Linux');
var os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');
os_ver = os_ver[1];
if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 7', 'Oracle Linux ' + os_ver);

if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);
if ('x86_64' >!< cpu) audit(AUDIT_ARCH_NOT, 'x86_64', cpu);

var pkgs = [
    {'reference':'kubeadm-1.12.10-1.0.10.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'kubeadm-ha-setup-0.0.2-1.0.68.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'kubeadm-upgrade-0.0.1-1.0.27.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'kubectl-1.12.10-1.0.10.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'kubelet-1.12.10-1.0.10.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE}
];

var flag = 0;
foreach var package_array ( pkgs ) {
  var reference = NULL;
  var _release = NULL;
  var sp = NULL;
  var _cpu = NULL;
  var el_string = NULL;
  var rpm_spec_vers_cmp = NULL;
  var epoch = NULL;
  var allowmaj = NULL;
  var exists_check = NULL;
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (!empty_or_null(package_array['release'])) _release = 'EL' + package_array['release'];
  if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
  if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
  if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
  if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
  if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
  if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
  if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
  if (reference && _release) {
    if (exists_check) {
        if (rpm_exists(release:_release, rpm:exists_check) && rpm_check(release:_release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
    } else {
        if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
    }
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kubeadm / kubeadm-ha-setup / kubeadm-upgrade / etc');
}
VendorProductVersionCPE
oraclelinux7cpe:/o:oracle:linux:7
oraclelinuxkubeadmp-cpe:/a:oracle:linux:kubeadm
oraclelinuxkubeadm-ha-setupp-cpe:/a:oracle:linux:kubeadm-ha-setup
oraclelinuxkubectlp-cpe:/a:oracle:linux:kubectl
oraclelinuxkubeletp-cpe:/a:oracle:linux:kubelet
oraclelinuxkubeadm-upgradep-cpe:/a:oracle:linux:kubeadm-upgrade

Related

oraclelinux 7
nessus 36
redhat 19
ibm 23
attackerkb 2
photon 6
threatpost 3
openvas 5
fedora 4
redhatcve 8
veracode 8
ubuntucve 6
gitlab 4
osv 15
prion 8
cve 8
debiancve 8
cloudfoundry 1
github 6
symantec 4
alpinelinux 5
altlinux 1
debian 1
amazon 4
checkpoint_advisories 2
freebsd 1
f5 1
wolfi 1
mscve 1
cgr 1
oraclelinux
oraclelinux
kubernetes security update
2020-01-31 00:00:00
kubernetes security update
2019-07-29 00:00:00
kubeadm-ha-setup security update
2019-07-29 00:00:00
nessus
nessus
RHEL 7 : OpenShift Container Platform 3.9 atomic-openshift (RHSA-2019:3811)
2019-11-08 00:00:00
Photon OS 1.0: Kubernetes PHSA-2019-1.0-0255
2019-10-07 00:00:00
Photon OS 1.0: Kubernetes PHSA-2019-1.0-0252
2019-10-11 00:00:00
redhat
redhat
(RHSA-2019:3811) Important: OpenShift Container Platform 3.9 atomic-openshift security update
2019-11-07 16:39:10
(RHSA-2019:3905) Important: OpenShift Container Platform 3.11 atomic-openshift security update
2019-11-18 16:17:10
(RHSA-2019:3239) Important: OpenShift Container Platform 3.10 atomic-openshift security update
2019-10-29 16:03:25
ibm
ibm
Security Bulletin: Security Vulnerabilities affect IBM Cloud Private Kubernetes (CVE-2019-11247, CVE-2019-11249)
2019-11-23 16:28:17
Security Bulletin: A security vulnerability has been identified in Kubernetes shipped with PowerAI Vision
2020-01-08 04:39:30
Security Bulletin: IBM API Connect is impacted by vulnerabilities in Kubernetes (CVE-2019-11249, CVE-2019-11247)
2020-01-02 16:47:32
attackerkb
attackerkb
kubectl cp path traversal
2019-04-01 00:00:00
Kubectl/API Server YAML parsing vulnerable to "Billion Laughs" Attack
2019-10-17 00:00:00
photon
photon
Important Photon OS Security Update - PHSA-2019-0031
2019-09-27 00:00:00
Important Photon OS Security Update - PHSA-2019-3.0-0031
2019-09-28 00:00:00
Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2019-2.0-0177
2019-09-30 00:00:00
threatpost
threatpost
ThreatList: One-Third of Firms Say Their Container Security Lags
2018-11-23 13:00:48
Dangerous Kubernetes Bugs Allow Authentication Bypass, DoS
2019-10-17 14:25:39
Public Bug Bounty Takes Aim at Kubernetes Container Project
2020-01-14 17:00:28
openvas
openvas
Fedora Update for kubernetes FEDORA-2019-2b8ef08c95
2019-08-27 00:00:00
Fedora Update for golang FEDORA-2019-416d20f960
2019-10-10 00:00:00
Debian: Security Advisory (DSA-4534-1)
2019-09-30 00:00:00
fedora
fedora
[SECURITY] Fedora 30 Update: kubernetes-1.15.2-1.fc30
2019-08-26 00:53:13
[SECURITY] Fedora 30 Update: golang-1.12.10-1.fc30
2019-10-09 16:54:30
[SECURITY] Fedora 30 Update: golang-1.12.13-1.fc30
2019-11-12 02:09:13
redhatcve
redhatcve
CVE-2019-11249
2020-04-09 10:50:34
CVE-2019-11247
2020-04-09 10:00:38
CVE-2019-11244
2020-04-06 23:05:27
veracode
veracode
Directory Traversal
2019-08-06 01:38:57
Unauthorised Access
2019-08-06 09:24:30
Arbitrary File Write
2019-09-20 02:08:38
ubuntucve
ubuntucve
CVE-2019-11247
2019-08-29 00:00:00
CVE-2019-11246
2019-08-29 00:00:00
CVE-2019-11251
2020-02-03 00:00:00
gitlab
gitlab
Incorrect Permission Assignment for Critical Resource
2019-04-22 00:00:00
Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
2021-05-18 00:00:00
Uncontrolled Resource Consumption
2022-05-24 00:00:00
osv
osv
CVE-2019-11247
2019-08-29 01:15:11
CVE-2019-11249
2019-08-29 01:15:11
Kubernetes kube-apiserver unauthorized access
2022-05-24 16:55:06
prion
prion
Design/Logic Flaw
2019-04-22 15:29:00
Code injection
2019-08-29 01:15:00
Design/Logic Flaw
2019-08-29 01:15:00
cve
cve
CVE-2019-11249
2019-08-29 01:15:00
CVE-2019-11247
2019-08-29 01:15:00
CVE-2019-11244
2019-04-22 15:29:00
debiancve
debiancve
CVE-2019-11249
2019-08-29 01:15:00
CVE-2019-11247
2019-08-29 01:15:00
CVE-2019-11246
2019-08-29 01:15:00
cloudfoundry
cloudfoundry
CVE-2019-11247: Kubernetes API Server Vulnerability | Cloud Foundry
2019-10-15 00:00:00
github
github
XML Entity Expansion and Improper Input Validation in Kubernetes API server
2021-05-18 15:38:48
Kubernetes Unsafe Cacheing
2022-02-15 01:57:18
Kubernetes kube-apiserver unauthorized access
2022-05-24 16:55:06
symantec
symantec
Kubernetes CVE-2019-11244 Local Unauthorized Access Vulnerability
2019-04-22 00:00:00
Kubernetes API Server CVE-2019-11253 Denial of Service Vulnerability
2019-09-27 00:00:00
Golang Go CVE-2019-16276 HTTP Request Smuggling Vulnerability
2019-09-26 00:00:00
alpinelinux
alpinelinux
CVE-2019-11247
2019-08-29 01:15:00
CVE-2019-11249
2019-08-29 01:15:00
CVE-2019-11253
2019-10-17 16:15:00
altlinux
altlinux
Security fix for the ALT Linux 10 package golang version 1.12.10-alt1
2019-10-10 00:00:00
debian
debian
[SECURITY] [DSA 4534-1] golang-1.11 security update
2019-09-27 20:36:57
amazon
amazon
Medium: golang
2019-10-21 18:01:00
Medium: golang
2020-01-14 18:15:00
Medium: golang
2020-01-14 20:01:00
checkpoint_advisories
checkpoint_advisories
Kubernetes API Server Denial Of Service (CVE-2019-11253)
2019-12-26 00:00:00
Kubernetes Go Server Authentication Bypass (CVE-2019-16276)
2019-10-22 00:00:00
freebsd
freebsd
go -- invalid headers are normalized, allowing request smuggling
2019-09-25 00:00:00
f5
f5
K98053339 : HTTP/2 Ping Flood vulnerability CVE-2019-9512
2019-08-20 00:00:00
wolfi
wolfi
CVE-2019-9512 vulnerabilities
2024-04-30 03:06:19
mscve
mscve
HTTP/2 Server Denial of Service Vulnerability
2019-08-13 07:00:00
cgr
cgr
CVE-2019-9512 vulnerabilities
2024-04-30 03:08:22
JSON
Related for ORACLELINUX_ELSA-2019-4816.NASL
oraclelinux7nessus36redhat19ibm23attackerkb2photon6threatpost3openvas5fedora4redhatcve8veracode8ubuntucve6gitlab4osv15prion8cve8debiancve8cloudfoundry1github6symantec4alpinelinux5altlinux1debian1amazon4checkpoint_advisories2freebsd1f51wolfi1mscve1cgr1