You are viewing documentation for a previous version of GKE On-Prem. View the latest documentation.

Security bulletins

All security bulletins for GKE On-Prem are described in this topic.

Vulnerabilities are often kept secret under embargos until affected parties have had a chance to address them. In these cases, GKE On-Prem's Release Notes will refer to "security updates" until the embargo has been lifted. At that point the notes will be updated to reflect the vulnerability the patch addressed.

To get the latest security bulletins delivered to you, add the URL of this page to your feed reader.

August 23, 2019

Description Severity Notes

We recently discovered and mitigated a vulnerability where the RBAC proxy used for securing monitoring endpoints did not correctly authorize users. As a result, metrics from certain components are available to unauthorized users from within the internal cluster network. The following components were affected:

  • etcd
  • etcd-events
  • kube-apiserver
  • kube-controller-manager
  • kube-scheduler
  • node-exporter
  • kube-state-metrics
  • prometheus
  • alertmanager
What should I do?

We recommend that you upgrade your clusters to version 1.0.2-gke.3, which includes the patch for this vulnerability, as soon as possible.

Medium

GKE On-Prem releases

August 22, 2019

Description Severity Notes

Kubernetes recently discovered a vulnerability, CVE-2019-11247, which allows cluster-scoped custom resource instances to be acted on as if they were namespaced objects existing in all Namespaces. This means user and service accounts with only namespace-level RBAC permissions can interact with cluster-scoped custom resources. Exploiting this vulnerability requires the attacker to have privileges to access the resource in any namespace.

What should I do?

We recommend that you upgrade your clusters to version 1.0.2-gke.3, which includes the patch for this vulnerability, as soon as possible.

What vulnerability is addressed by this patch?

The patch mitigates the following vulnerability: CVE-2019-11247.

Medium

CVE-2019-11247