CVE-2019-11248

Summary

The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port. The go pprof endpoint is exposed over the Kubelet's healthz port. This debugging endpoint can potentially leak sensitive information such as internal Kubelet memory addresses and configuration, or for limited denial of service. Versions prior to 1.15.0, 1.14.4, 1.13.8, and 1.12.10 are affected. The issue is of medium severity, but not exposed by the default configuration.

Affected Software

VendorProductVersion RangeStatus
KubernetesKubernetesprior to 1.12.10affected
KubernetesKubernetesprior to 1.13.8affected
KubernetesKubernetesprior to 1.14.4affected
KubernetesKubernetes1.1affected
KubernetesKubernetes1.2affected
KubernetesKubernetes1.4affected
KubernetesKubernetes1.5affected
KubernetesKubernetes1.6affected
KubernetesKubernetes1.7affected
KubernetesKubernetes1.8affected
KubernetesKubernetes1.9affected
KubernetesKubernetes1.10affected
KubernetesKubernetes1.11affected

Weaknesses

  • CWE-419: CWE-419: Unprotected Primary Channel

Workarounds

update node configurations to set the "healthzBindAddress" to "127.0.0.1" to prevent access by remote callers.

ADP Enrichment

CVE Program Container

Additional References

References