CVE-2019-11248
published 2019-08-29CVE-2019-11248: The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port. The go pprof endpoint is exposed over the Kubelet's healthz port…
PriorityP182high8.2CVSS 3.1
AVNACLPRNUINSUCHINAL
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
61.14%
99.0th percentile
The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port. The go pprof endpoint is exposed over the Kubelet's healthz port. This debugging endpoint can potentially leak sensitive information such as internal Kubelet memory addresses and configuration, or for limited denial of service. Versions prior to 1.15.0, 1.14.4, 1.13.8, and 1.12.10 are affected. The issue is of medium severity, but not exposed by the default configuration.
Affected
34 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | kubernetes | < kubernetes 1.17.4-1 (bookworm) | kubernetes 1.17.4-1 (bookworm) |
| kubernetes | kubernetes | < 1.12.10 | 1.12.10 |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →HTTP GET request to /debug/pprof/ or /debug/pprof/goroutine?debug=1 on the Kubelet healthz port (default 10248, also seen on 9100); match response body for strings indicating pprof exposure. ↗
- →Check Kubelet configuration for a non-localhost healthzBindAddress (--health-bind-address); if set to a non-loopback address on versions prior to 1.15.0, 1.14.4, 1.13.8, or 1.12.10, the node is exposed. ↗
- →Verify healthzPort is not 0 (disabled) and healthzBindAddress is not 127.0.0.1 by querying: kubectl get --raw /api/v1/nodes/${NODE_NAME}/proxy/configz | jq -r '.kubeletconfig.healthzBindAddress, .kubeletconfig.healthzPort' ↗
- →Shodan/FOFA hunting: search for Kubernetes nodes exposing the pprof debug endpoint using query 'http.title:"kubernetes web view"'. ↗
- ·The vulnerability is NOT exposed by the default Kubelet configuration; the healthz endpoint binds to localhost (127.0.0.1:10248) by default, limiting exposure to pods or processes in the host network namespace. ↗
- ·OpenShift Container Platform 3 is not affected because the kubelet healthz server is disabled by default (healthzPort=0). ↗
- ·OpenShift Container Platform 4 enables /debug/pprof on the kubelet healthz server but restricts it to local traffic only. ↗
- ·Affected versions are strictly prior to 1.15.0, 1.14.4, 1.13.8, and 1.12.10; patched versions are not vulnerable. ↗
CVSS provenance
nvdv3.18.2HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
nvdv3.06.5MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:P
osv8.2HIGH
vulncheck8.2HIGH
vendor_debian8.2HIGH
vendor_redhat8.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
kubernetes: /debug/pprof endpoint exposed on kubelet's healthz port
vendor_redhat·2019-08-07·CVSS 8.2
CVE-2019-11248 [HIGH] CWE-284 kubernetes: /debug/pprof endpoint exposed on kubelet's healthz port
kubernetes: /debug/pprof endpoint exposed on kubelet's healthz port
The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port. The go pprof endpoint is exposed over the Kubelet's healthz port. This debugging endpoint can potentially leak sensitive information such as internal Kubelet memory addresses and configuration, or for limited denial of service. Versions prior to 1.15.0, 1.14.4, 1.13.8, and 1.12.10 are affected. The issue is of medium severity, but not exposed by the default configuration.
Statement: OpenShift Container Platform 3 is not vulnerable to this flaw as the kubelet healthz server is disabled by default. OpenShift Container Platform 4 enables the /debug/pprof endpoint on the kubelet healthz server to local traffic only.
There are multip
Debian
CVE-2019-11248: kubernetes - The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet ...
vendor_debian·2019·CVSS 8.2
CVE-2019-11248 [HIGH] CVE-2019-11248: kubernetes - The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet ...
The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port. The go pprof endpoint is exposed over the Kubelet's healthz port. This debugging endpoint can potentially leak sensitive information such as internal Kubelet memory addresses and configuration, or for limited denial of service. Versions prior to 1.15.0, 1.14.4, 1.13.8, and 1.12.10 are affected. The issue is of medium severity, but not exposed by the default configuration.
Scope: local
bookworm: resolved (fixed in 1.17.4-1)
bullseye: resolved (fixed in 1.17.4-1)
forky: resolved (fixed in 1.17.4-1)
sid: resolved (fixed in 1.17.4-1)
trixie: resolved (fixed in 1.17.4-1)
GHSA
GHSA-9frv-h2cf-52wh: The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port
ghsa_unreviewed·2022-05-24
CVE-2019-11248 [HIGH] CWE-419 GHSA-9frv-h2cf-52wh: The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port
The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port. The go pprof endpoint is exposed over the Kubelet's healthz port. This debugging endpoint can potentially leak sensitive information such as internal Kubelet memory addresses and configuration, or for limited denial of service. Versions prior to 1.15.0, 1.14.4, 1.13.8, and 1.12.10 are affected. The issue is of medium severity, but not exposed by the default configuration.
OSV
CVE-2019-11248: The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port
osv·2019-08-29·CVSS 8.2
CVE-2019-11248 [HIGH] CVE-2019-11248: The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port
The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port. The go pprof endpoint is exposed over the Kubelet's healthz port. This debugging endpoint can potentially leak sensitive information such as internal Kubelet memory addresses and configuration, or for limited denial of service. Versions prior to 1.15.0, 1.14.4, 1.13.8, and 1.12.10 are affected. The issue is of medium severity, but not exposed by the default configuration.
VulnCheck
kubernetes kubernetes Unprotected Primary Channel
vulncheck·2019·CVSS 8.2
CVE-2019-11248 [HIGH] kubernetes kubernetes Unprotected Primary Channel
kubernetes kubernetes Unprotected Primary Channel
The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port. The go pprof endpoint is exposed over the Kubelet's healthz port. This debugging endpoint can potentially leak sensitive information such as internal Kubelet memory addresses and configuration, or for limited denial of service. Versions prior to 1.15.0, 1.14.4, 1.13.8, and 1.12.10 are affected. The issue is of medium severity, but not exposed by the default configuration.
Affected: kubernetes kubernetes
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerabi
No detection rules found.
Nuclei
Debug Endpoint pprof - Exposure Detection
nuclei·CVSS 8.2
CVE-2019-11248 [HIGH] Debug Endpoint pprof - Exposure Detection
Debug Endpoint pprof - Exposure Detection
The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port. This debugging endpoint can potentially leak sensitive information such as internal Kubelet memory addresses and configuration, or for limited denial of service. Versions prior to 1.15.0, 1.14.4, 1.13.8, and 1.12.10 are affected. The issue is of medium severity, but not exposed by the default configuration.
Template:
id: CVE-2019-11248
info:
name: Debug Endpoint pprof - Exposure Detection
author: 0xceeb,ritikchaddha
severity: high
description: |
The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port. This debugging endpoint can potentially leak sensitive information such as internal Kubelet memory addresses and con
arXiv
Microservice Vulnerability Analysis: A Literature Review with Empirical Insights
arxiv_fulltext·2024-07-31
Microservice Vulnerability Analysis: A Literature Review with Empirical Insights
Microservice Vulnerability Analysis: A Literature Review with Empirical Insights
Raveen Kanishka Jayalath*
University of Adelaide, Australia
[email protected]
Hussain Ahmad* *Authors contributed equally to this work. Corresponding author.
University of Adelaide, Australia
[email protected]
Diksha Goel
CSIRO's Data61, Australia
[email protected]
3cmMuhammad Shuja Syed
3cmSLB, USA
[email protected]
Faheem Ullah
University of Adelaide, Australia
[email protected]
plain
## Abstract
Microservice architectures are revolutionizing both small businesses and large corporations, igniting a new era of innovation with their exceptional advantages in maintainability, reusability, and scalability. However, these benefits come w
HackerOne
CVE-2019-11248 on http://█.█.█.█:9100/debug/pprof/goroutine
hackerone·2022-07-18·CVSS 8.2
CVE-2019-11248 [HIGH] CVE-2019-11248 on http://█.█.█.█:9100/debug/pprof/goroutine
CVE-2019-11248 on http://█.█.█.█:9100/debug/pprof/goroutine
@mr_k0anti reported to us an exposed debugging endpoint (`/debug/pprof`) over the unauthenticated Kubelet healthz port `9100`. No sensitive information has been disclosed & the affected host belonged to our staging environment.
The issue has been rectified.
Bugzilla
CVE-2019-11248 kubernetes: /debug/pprof endpoint exposed on kubelet's healthz port [fedora-all]
bugzilla·2019-08-07·CVSS 8.2
CVE-2019-11248 [HIGH] CVE-2019-11248 kubernetes: /debug/pprof endpoint exposed on kubelet's healthz port [fedora-all]
CVE-2019-11248 kubernetes: /debug/pprof endpoint exposed on kubelet's healthz port [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple
Bugzilla
CVE-2019-11248 kubernetes: /debug/pprof endpoint exposed on kubelet's healthz port
bugzilla·2019-08-07·CVSS 8.2
CVE-2019-11248 [HIGH] CVE-2019-11248 kubernetes: /debug/pprof endpoint exposed on kubelet's healthz port
CVE-2019-11248 kubernetes: /debug/pprof endpoint exposed on kubelet's healthz port
The Kubernetes debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port. Versions prior to 1.15.0, 1.14.4, 1.13.8, and 1.12.10 are affected.The issue is of medium severity, but only exposed locally by the default configuration.
By default, the Kubelet exposes unauthenticated healthz endpoints on port :10248, but only over localhost. If your nodes are using a non-localhost healthzBindAddress (--health-bind-address), and an older version, you may be vulnerable. If your nodes are using the default localhost healthzBindAddress, it is only exposed to pods or processes running in the host network namespace.
The `go pprof` endpoint is exposed over the Kubelet's healthz port. This
https://github.com/kubernetes/kubernetes/issues/81023https://groups.google.com/d/msg/kubernetes-security-announce/pKELclHIov8/BEDtRELACQAJhttps://security.netapp.com/advisory/ntap-20190919-0003/https://github.com/kubernetes/kubernetes/issues/81023https://groups.google.com/d/msg/kubernetes-security-announce/pKELclHIov8/BEDtRELACQAJhttps://security.netapp.com/advisory/ntap-20190919-0003/
2019-08-29
Published
Exploited in the wild