About cookies on this site Our websites require some cookies to function properly (required). In addition, other cookies may be used with your consent to analyze site usage, improve the user experience and for advertising. For more information, please review your options. By visiting our website, you agree to our processing of information as described in IBM’sprivacy statement. To provide a smooth navigation, your cookie preferences will be shared across the IBM web domains listed here.
Flashes (Alerts)
Abstract
Red Hat OpenShift on IBM Cloud is not affected by Kubernetes kubectl cp directory traversal vulnerability (CVE-2019-11249)
Content
Red Hat OpenShift on IBM Cloud service is NOT vulnerable to CVE-2019-11249 Kubernetes
kubectl cp
directory traversal.CVE-ID: CVE-2019-11249
Description: Kubernetes could allow a remote authenticated attacker to traverse directories on the system, caused by an incomplete fix for CVE-2019-1002101 and CVE-2019-11246. By persuading a victim to use the kubectl cp command with a malicious container, an attacker could replace or create arbitrary files on a user’s workstation.
CVSS Base Score: 6.5
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/164768 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)
Description: Kubernetes could allow a remote authenticated attacker to traverse directories on the system, caused by an incomplete fix for CVE-2019-1002101 and CVE-2019-11246. By persuading a victim to use the kubectl cp command with a malicious container, an attacker could replace or create arbitrary files on a user’s workstation.
CVSS Base Score: 6.5
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/164768 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)
Recommedation
While Red Hat OpenShift on IBM Cloud service itself is NOT vulnerable to CVE-2019-11249, customers are advised to ensure their
kubectl
and oc
client binaries are updated to the latest available version based on their cluster version. For more information, see Installing the OpenShift CLI.To verify your
oc
client binaries are no longer exposed, use the following command to confirm the currently running versions are 3.11.146 or later:oc version | grep openshift
To verify your
kubectl
client binaries are no longer exposed, use the following command to confirm the currently running versions are 1.13.9 or later:kubectl version --client
Related Information
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSJTBP","label":"IBM Cloud Kubernetes Service and Red Hat OpenShift on IBM Cloud"},"Component":"kubectl","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB21","label":"Public Cloud Platform"}}]
Was this topic helpful?
Document Information
More support for:
IBM Cloud Kubernetes Service and Red Hat OpenShift on IBM Cloud
Software version:
All Versions
Document number:
1102029
Modified date:
26 September 2022
UID
ibm11102029
Manage My Notification Subscriptions