CVE-2020-8563: Secret leaks in kube-controller-manager when using vSphere provider #95621
Labels
area/security
committee/security-response
Denotes an issue or PR intended to be handled by the product security committee.
kind/bug
Categorizes issue or PR as related to a bug.
needs-triage
Indicates an issue or PR lacks a `triage/foo` label and requires one.
official-cve-feed
Issues or PRs related to CVEs officially announced by Security Response Committee (SRC)
Comments
|
@sfowl: This issue is currently awaiting triage. If a SIG or subproject determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Fixed by #95236 |
|
/label official-cve-feed (Related to kubernetes/sig-security#1) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVSS Rating: 5.6 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N (Medium)
In Kubernetes clusters using VSphere as a cloud provider, with a logging level set to 4 or above, VSphere cloud credentials will be leaked in the cloud controller manager's log.
Am I vulnerable?
If you are using VSphere as a cloud provider, have verbose logging enabled, and an attacker can access cluster logs, then you may be vulnerable to this.
Affected Versions
kube-controller-manager v1.19.0 - v1.19.2
How do I mitigate this vulnerability?
Do not enable verbose logging in production, limit access to cluster logs.
Fixed Versions
v1.19.3
To upgrade, refer to the documentation: https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster
Acknowledgements
This vulnerability was reported by: Kaizhe Huang (derek0405)
/area security
/kind bug
/committee product-security
The text was updated successfully, but these errors were encountered: