CVE-2019-11245
published 2019-08-29CVE-2019-11245: In kubelet v1.13.6 and v1.14.2, containers for pods that do not specify an explicit runAsUser attempt to run as uid 0 (root) on container restart, or if the…
PriorityP337high7.8CVSS 3.0
AVLACLPRLUINSUCHIHAH
EPSS
0.60%
44.2th percentile
In kubelet v1.13.6 and v1.14.2, containers for pods that do not specify an explicit runAsUser attempt to run as uid 0 (root) on container restart, or if the image was previously pulled to the node. If the pod specified mustRunAsNonRoot: true, the kubelet will refuse to start the container as root. If the pod did not specify mustRunAsNonRoot: true, the kubelet will run the container as uid 0.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | kubernetes | — | — |
| k8s.io | kubernetes | >= 1.13.0 < 1.13.7 | 1.13.7 |
| k8s.io | kubernetes | >= 1.14.0 < 1.14.3 | 1.14.3 |
| k8s.io | kubernetes_cmd_kubelet | >= 1.13.0 < 1.13.7 | 1.13.7 |
| k8s.io | kubernetes_cmd_kubelet | >= 1.14.0 < 1.14.3 | 1.14.3 |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
CVSS provenance
nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.04.6MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:P
vendor_debian4.9LOW
vendor_redhat4.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
kubernetes: container uid changes to root after first restart
vendor_redhat·2019-05-24·CVSS 4.9
CVE-2019-11245 [MEDIUM] CWE-266 kubernetes: container uid changes to root after first restart
kubernetes: container uid changes to root after first restart
In kubelet v1.13.6 and v1.14.2, containers for pods that do not specify an explicit runAsUser attempt to run as uid 0 (root) on container restart, or if the image was previously pulled to the node. If the pod specified mustRunAsNonRoot: true, the kubelet will refuse to start the container as root. If the pod did not specify mustRunAsNonRoot: true, the kubelet will run the container as uid 0.
Statement: This vulnerability only affects upstream Kubernetes versions 1.13.6 and 1.14.2. All released versions of Red Hat OpenShift Container Platform and Red Hat Gluster Storage 3 are not affected by this flaw as they do not contain the vulnerable code.
Mitigation: There are two potential mitigations to this issue:
1. Downgrade to kube
Debian
CVE-2019-11245: kubernetes - In kubelet v1.13.6 and v1.14.2, containers for pods that do not specify an expli...
vendor_debian·2019·CVSS 4.9
CVE-2019-11245 [MEDIUM] CVE-2019-11245: kubernetes - In kubelet v1.13.6 and v1.14.2, containers for pods that do not specify an expli...
In kubelet v1.13.6 and v1.14.2, containers for pods that do not specify an explicit runAsUser attempt to run as uid 0 (root) on container restart, or if the image was previously pulled to the node. If the pod specified mustRunAsNonRoot: true, the kubelet will refuse to start the container as root. If the pod did not specify mustRunAsNonRoot: true, the kubelet will run the container as uid 0.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
OSV
Kubelet Incorrect Privilege Assignment in k8s.io/kubernetes
osv·2024-06-10
CVE-2019-11245 Kubelet Incorrect Privilege Assignment in k8s.io/kubernetes
Kubelet Incorrect Privilege Assignment in k8s.io/kubernetes
Kubelet Incorrect Privilege Assignment in k8s.io/kubernetes
OSV
Kubelet Incorrect Privilege Assignment
osv·2024-04-24
CVE-2019-11245 [MEDIUM] Kubelet Incorrect Privilege Assignment
Kubelet Incorrect Privilege Assignment
In kubelet v1.13.6 and v1.14.2, containers for pods that do not specify an explicit `runAsUser` attempt to run as uid 0 (root) on container restart, or if the image was previously pulled to the node. If the pod specified `mustRunAsNonRoot: true`, the kubelet will refuse to start the container as root. If the pod did not specify `mustRunAsNonRoot: true`, the kubelet will run the container as uid 0.
GHSA
Kubelet Incorrect Privilege Assignment
ghsa·2024-04-24
CVE-2019-11245 [MEDIUM] CWE-266 Kubelet Incorrect Privilege Assignment
Kubelet Incorrect Privilege Assignment
In kubelet v1.13.6 and v1.14.2, containers for pods that do not specify an explicit `runAsUser` attempt to run as uid 0 (root) on container restart, or if the image was previously pulled to the node. If the pod specified `mustRunAsNonRoot: true`, the kubelet will refuse to start the container as root. If the pod did not specify `mustRunAsNonRoot: true`, the kubelet will run the container as uid 0.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-11245 kubernetes: container uid changes to root after first restart
bugzilla·2019-05-31·CVSS 4.9
CVE-2019-11245 [MEDIUM] CVE-2019-11245 kubernetes: container uid changes to root after first restart
CVE-2019-11245 kubernetes: container uid changes to root after first restart
In kubelet v1.13.6 and v1.14.2, containers for pods that do not specify an explicit runAsUser attempt to run as uid 0 (root) on container restart, or if the image was previously pulled to the node. If the pod specified mustRunAsNonRoot: true, the kubelet will refuse to start the container as root. If the pod did not specify mustRunAsNonRoot: true, the kubelet will run the container as uid 0.
Reference:
https://github.com/kubernetes/kubernetes/issues/78308
https://github.com/rancher/k3s/issues/511
https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
Discussion:
Upstream Fixes:
https://github.com/kubernetes/kubernetes/pull/78261 (master)
https://github.co
Unit42
Non-Root Containers, Kubernetes CVE-2019-11245 and Why You Should Care
blogs_unit42·2019-08-28·CVSS 4.9
CVE-2019-11245 [MEDIUM] Non-Root Containers, Kubernetes CVE-2019-11245 and Why You Should Care
Threat Research Center
Threat Research
Cloud Cybersecurity Research
## Non-Root Containers, Kubernetes CVE-2019-11245 and Why You Should Care
Ariel Zelivansky
Published: August 28, 2019
Cloud Cybersecurity Research
Threat Research
Vulnerabilities
Containers
CVE-2019-11245
Kubernetes
On May 31th, the Kubernetes Product Security Committee announced a security regression in Kubernetes for which they had assigned CVE-2019-11245. The problem caused containers that use images which are supposed to run with a non root user to run as root, on the second time they are used or upon restart of the container.
Before elaborating on this particular security issue, let’s first clarify why running a program as root in a container is even a concern at all.
## Non-root containers
When run
Unit42
Non-Root Containers, Kubernetes CVE-2019-11245 and Why You Should Care
blogs_unit42·2019-08-28·CVSS 4.9
CVE-2019-11245 [MEDIUM] Non-Root Containers, Kubernetes CVE-2019-11245 and Why You Should Care
On May 31th, the Kubernetes Product Security Committee announced a security regression in Kubernetes for which they had assigned CVE-2019-11245. The problem caused containers that use images which are supposed to run with a non root user to run as root, on the second time they are used or upon restart of the container.
Before elaborating on this particular security issue, let’s first clarify why running a program as root in a container is even a concern at all.
## Non-root containers
When running applications on a non-containerized Linux environment, e.g. on the host machine, it is commonly understood why isolation between the root user and non-privileged users is desired. If run as root, any breached or misbehaving application could easily wreak havoc on the system, by modifying system
2019-08-29
Published