安全漏洞和解决方法
Rancher 致力于向社区披露我们产品的安全问题。Rancher 将对修复的问题通过发布 CVEs(通用漏洞披露,Common Vulnerabilities and Exposures)通知社区。
CVE ID 编号 | 问题描述 | 解决日期 | 解决方式 |
---|---|---|---|
CVE-2021-31999 | 发现了一个漏洞,恶意的 Rancher 用户可以精心设计针对受管集群的 Kubernetes API 代理的 API 请求,以获得他们没有权限的信息。这是通过在 Connection 头中传递 “Impersonate-User “或 “Impersonate-Group “头来实现的,然后被代理删除。在这一点上,请求不会冒充用户和他们的权限,而是像来自 Rancher 管理服务器(即本地服务器)一样行事,并返回所请求的信息。如果你正在运行任何 Rancher 2.x 版本,你就会受到攻击。只有在集群上有一定权限的有效 Rancher 用户可以执行请求。除了升级到打过补丁的版本,没有直接的缓解措施。你可以通过确保所有 Rancher 用户是受信任的来限制更广泛的暴露。 | 2021 年 7 月 14 日 | Rancher v2.5.9, Rancher v2.4.16 |
CVE-2021-25318 | 在 Rancher 中发现一个漏洞,用户被授予对资源的访问权,而不考虑资源的 API 组。例如,Rancher 应该允许用户访问apps.catalog.cattle.io ,但却错误地给予apps.* 访问权。 如果你正在运行任何 Rancher 2.x 版本,你就会受到攻击。如果集群中安装有其他匹配的 CRD 资源,则漏洞的程度会增加。除了升级到修补过的版本,没有直接的缓解措施。 | 2021 年 7 月 14 日 | Rancher v2.5.9, Rancher v2.4.16 |
CVE-2021-25320 | 在 Rancher 中发现了一个漏洞,即云证书没有通过 Rancher API 得到正确验证。特别是通过一个旨在与云供应商通信的代理。任何 Rancher 用户,只要登录并知道一个对特定云提供商有效的云凭证 ID,就可以通过代理 API 对该云提供商的 API 提出请求,并且云凭证会被附加。如果你运行任何 Rancher 2.2.0 或以上版本并使用云凭证,你就会受到攻击。该漏洞仅限于有效的 Rancher 用户。除了升级到打过补丁的版本,没有直接的缓解措施。你可以通过确保所有 Rancher 用户是受信任的来限制更广泛的暴露。 | 2021 年 7 月 14 日 | Rancher v2.5.9, Rancher v2.4.16 |
CVE-2021-25313 | A security vulnerability was discovered on all Rancher 2 versions. When accessing the Rancher API with a browser, the URL was not properly escaped, making it vulnerable to an XSS attack. Specially crafted URLs to these API endpoints could include JavaScript which would be embedded in the page and execute in a browser. There is no direct mitigation. Avoid clicking on untrusted links to your Rancher server. | 2 Mar 2021 | Rancher v2.5.6, Rancher v2.4.14, and Rancher v2.3.11 |
CVE-2019-14435 | This vulnerability allows authenticated users to potentially extract otherwise private data out of IPs reachable from system service containers used by Rancher. This can include but not only limited to services such as cloud provider metadata services. Although Rancher allow users to configure whitelisted domains for system service access, this flaw can still be exploited by a carefully crafted HTTP request. The issue was found and reported by Matt Belisle and Alex Stevenson at Workiva. | 5 Aug 2019 | Rancher v2.2.7 and Rancher v2.1.12 |
CVE-2019-14436 | The vulnerability allows a member of a project that has access to edit role bindings to be able to assign themselves or others a cluster level role granting them administrator access to that cluster. The issue was found and reported by Michal Lipinski at Nokia. | 5 Aug 2019 | Rancher v2.2.7 and Rancher v2.1.12 |
CVE-2019-13209 | The vulnerability is known as a Cross-Site Websocket Hijacking attack. This attack allows an exploiter to gain access to clusters managed by Rancher with the roles/permissions of a victim. It requires that a victim to be logged into a Rancher server and then access a third-party site hosted by the exploiter. Once that is accomplished, the exploiter is able to execute commands against the Kubernetes API with the permissions and identity of the victim. Reported by Matt Belisle and Alex Stevenson from Workiva. | 15 Jul 2019 | Rancher v2.2.5, Rancher v2.1.11 and Rancher v2.0.16 |
CVE-2019-12303 | Project owners can inject extra fluentd logging configurations that makes it possible to read files or execute arbitrary commands inside the fluentd container. Reported by Tyler Welton from Untamed Theory. | 5 Jun 2019 | Rancher v2.2.4, Rancher v2.1.10 and Rancher v2.0.15 |
CVE-2019-12274 | Nodes using the built-in node drivers using a file path option allows the machine to read arbitrary files including sensitive ones from inside the Rancher server container. | 5 Jun 2019 | Rancher v2.2.4, Rancher v2.1.10 and Rancher v2.0.15 |
CVE-2019-11202 | The default admin, that is shipped with Rancher, will be re-created upon restart of Rancher despite being explicitly deleted. | 16 Apr 2019 | Rancher v2.2.2, Rancher v2.1.9 and Rancher v2.0.14 |
CVE-2019-6287 | Project members continue to get access to namespaces from projects that they were removed from if they were added to more than one project. | 29 Jan 2019 | Rancher v2.1.6 and Rancher v2.0.11 |
CVE-2018-20321 | Any project member with access to the default namespace can mount the netes-default service account in a pod and then use that pod to execute administrative privileged commands against the Kubernetes cluster. | 29 Jan 2019 | Rancher v2.1.6 and Rancher v2.0.11 - Rolling back from these versions or greater have specific instructions. |