Vulnerability from csaf_suse
Published
2020-12-23 08:18
Modified
2020-12-23 08:18
Summary
Security changes in Kubernetes, etcd, and helm; Bugfix in cri-o package
Notes
Title of the patch
Security changes in Kubernetes, etcd, and helm; Bugfix in cri-o package
Description of the patch
= Required Actions
== Kubernetes & etcd (Security fixes)
This fix involves an upgrade of Kubernetes and some add-ons. See https://documentation.suse.com/suse-caasp/4.2/html/caasp-admin/_cluster_updates.html#_updating_kubernetes_components for the upgrade procedure.
== Skuba & helm/helm3
In order to update skuba and helm or helm 3, you need to update the management workstation. See detailed instructions at https://documentation.suse.com/suse-caasp/4.2/html/caasp-admin/_cluster_updates.html#_update_management_workstation
= Known Issues
Modifying the file `/etc/sysconfig/kubelet` directly is not supported: documentation at https://documentation.suse.com/suse-caasp/4.2/html/caasp-admin/_miscellaneous.html#_configuring_kubelet
Be sure to check the Release Notes at https://www.suse.com/releasenotes/x86_64/SUSE-CAASP/4/#_changes_in_4_2_4 for any additional known issues or behavioral changes.
Patchnames
SUSE-2020-3760,SUSE-SLE-Module-Containers-15-SP1-2020-3760
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ document: { aggregate_severity: { namespace: "https://www.suse.com/support/security/rating/", text: "moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright 2024 SUSE LLC. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Security changes in Kubernetes, etcd, and helm; Bugfix in cri-o package", title: "Title of the patch", }, { category: "description", text: " = Required Actions\n\n== Kubernetes & etcd (Security fixes)\n\nThis fix involves an upgrade of Kubernetes and some add-ons. See https://documentation.suse.com/suse-caasp/4.2/html/caasp-admin/_cluster_updates.html#_updating_kubernetes_components for the upgrade procedure.\n \n== Skuba & helm/helm3\n\nIn order to update skuba and helm or helm 3, you need to update the management workstation. See detailed instructions at https://documentation.suse.com/suse-caasp/4.2/html/caasp-admin/_cluster_updates.html#_update_management_workstation\n\n= Known Issues\n\nModifying the file `/etc/sysconfig/kubelet` directly is not supported: documentation at https://documentation.suse.com/suse-caasp/4.2/html/caasp-admin/_miscellaneous.html#_configuring_kubelet\n\nBe sure to check the Release Notes at https://www.suse.com/releasenotes/x86_64/SUSE-CAASP/4/#_changes_in_4_2_4 for any additional known issues or behavioral changes.", title: "Description of the patch", }, { category: "details", text: "SUSE-2020-3760,SUSE-SLE-Module-Containers-15-SP1-2020-3760", title: "Patchnames", }, { category: "legal_disclaimer", text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", title: "Terms of use", }, ], publisher: { category: "vendor", contact_details: "https://www.suse.com/support/security/contact/", name: "SUSE Product Security Team", namespace: "https://www.suse.com/", }, references: [ { category: "external", summary: "SUSE ratings", url: "https://www.suse.com/support/security/rating/", }, { category: "self", summary: "URL of this CSAF notice", url: "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2020_3760-1.json", }, { category: "self", summary: "URL for SUSE-SU-2020:3760-1", url: "https://www.suse.com/support/update/announcement/2020/suse-su-20203760-1/", }, { category: "self", summary: "E-Mail link for SUSE-SU-2020:3760-1", url: "https://lists.suse.com/pipermail/sle-security-updates/2020-December/007973.html", }, { category: "self", summary: "SUSE Bug 1174219", url: "https://bugzilla.suse.com/1174219", }, { category: "self", summary: "SUSE Bug 1174951", url: "https://bugzilla.suse.com/1174951", }, { category: "self", summary: "SUSE Bug 1176752", url: "https://bugzilla.suse.com/1176752", }, { category: "self", summary: "SUSE Bug 1176753", url: "https://bugzilla.suse.com/1176753", }, { category: "self", summary: "SUSE Bug 1176754", url: "https://bugzilla.suse.com/1176754", }, { category: "self", summary: "SUSE Bug 1176755", url: "https://bugzilla.suse.com/1176755", }, { category: "self", summary: "SUSE Bug 1177661", url: "https://bugzilla.suse.com/1177661", }, { category: "self", summary: "SUSE Bug 1177662", url: "https://bugzilla.suse.com/1177662", }, { category: "self", summary: "SUSE CVE CVE-2020-15106 page", url: "https://www.suse.com/security/cve/CVE-2020-15106/", }, { category: "self", summary: "SUSE CVE CVE-2020-15112 page", url: "https://www.suse.com/security/cve/CVE-2020-15112/", }, { category: "self", summary: "SUSE CVE CVE-2020-15184 page", url: "https://www.suse.com/security/cve/CVE-2020-15184/", }, { category: "self", summary: "SUSE CVE CVE-2020-15185 page", url: "https://www.suse.com/security/cve/CVE-2020-15185/", }, { category: "self", summary: "SUSE CVE CVE-2020-15186 page", url: "https://www.suse.com/security/cve/CVE-2020-15186/", }, { category: "self", summary: "SUSE CVE CVE-2020-15187 page", url: "https://www.suse.com/security/cve/CVE-2020-15187/", }, { category: "self", summary: "SUSE CVE CVE-2020-8565 page", url: "https://www.suse.com/security/cve/CVE-2020-8565/", }, { category: "self", summary: "SUSE CVE CVE-2020-8566 page", url: "https://www.suse.com/security/cve/CVE-2020-8566/", }, ], title: "Security changes in Kubernetes, etcd, and helm; Bugfix in cri-o package", tracking: { current_release_date: "2020-12-23T08:18:56Z", generator: { date: "2020-12-23T08:18:56Z", engine: { name: "cve-database.git:bin/generate-csaf.pl", version: "1", }, }, id: "SUSE-SU-2020:3760-1", initial_release_date: "2020-12-23T08:18:56Z", revision_history: [ { date: "2020-12-23T08:18:56Z", number: "1", summary: "Current version", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "coredns-extras-1.6.7-3.13.1.noarch", product: { name: "coredns-extras-1.6.7-3.13.1.noarch", product_id: "coredns-extras-1.6.7-3.13.1.noarch", }, }, { category: "product_version", name: "skuba-update-1.4.11-3.49.2.noarch", product: { name: "skuba-update-1.4.11-3.49.2.noarch", product_id: "skuba-update-1.4.11-3.49.2.noarch", }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_version", name: "caasp-release-4.2.4-24.36.1.x86_64", product: { name: "caasp-release-4.2.4-24.36.1.x86_64", product_id: "caasp-release-4.2.4-24.36.1.x86_64", }, }, { category: "product_version", name: "coredns-1.6.7-3.13.1.x86_64", product: { name: "coredns-1.6.7-3.13.1.x86_64", product_id: "coredns-1.6.7-3.13.1.x86_64", }, }, { category: "product_version", name: "cri-o-1.16.1-3.37.3.x86_64", product: { name: "cri-o-1.16.1-3.37.3.x86_64", product_id: "cri-o-1.16.1-3.37.3.x86_64", }, }, { category: "product_version", name: "cri-o-kubeadm-criconfig-1.16.1-3.37.3.x86_64", product: { name: "cri-o-kubeadm-criconfig-1.16.1-3.37.3.x86_64", product_id: "cri-o-kubeadm-criconfig-1.16.1-3.37.3.x86_64", }, }, { category: "product_version", name: "etcd-3.4.13-4.15.1.x86_64", product: { name: "etcd-3.4.13-4.15.1.x86_64", product_id: "etcd-3.4.13-4.15.1.x86_64", }, }, { category: "product_version", name: "etcdctl-3.4.13-4.15.1.x86_64", product: { name: "etcdctl-3.4.13-4.15.1.x86_64", product_id: "etcdctl-3.4.13-4.15.1.x86_64", }, }, { category: "product_version", name: "helm-2.16.12-3.10.1.x86_64", product: { name: "helm-2.16.12-3.10.1.x86_64", product_id: "helm-2.16.12-3.10.1.x86_64", }, }, { category: "product_version", name: "helm3-3.3.3-1.3.1.x86_64", product: { name: "helm3-3.3.3-1.3.1.x86_64", product_id: "helm3-3.3.3-1.3.1.x86_64", }, }, { category: "product_version", name: "kubectl-caasp-1.4.11-3.49.2.x86_64", product: { name: "kubectl-caasp-1.4.11-3.49.2.x86_64", product_id: "kubectl-caasp-1.4.11-3.49.2.x86_64", }, }, { category: "product_version", name: "kubernetes-client-1.17.13-4.21.2.x86_64", product: { name: "kubernetes-client-1.17.13-4.21.2.x86_64", product_id: "kubernetes-client-1.17.13-4.21.2.x86_64", }, }, { category: "product_version", name: "kubernetes-common-1.17.13-4.21.2.x86_64", product: { name: "kubernetes-common-1.17.13-4.21.2.x86_64", product_id: "kubernetes-common-1.17.13-4.21.2.x86_64", }, }, { category: "product_version", name: "kubernetes-extra-1.17.13-4.21.2.x86_64", product: { name: "kubernetes-extra-1.17.13-4.21.2.x86_64", product_id: "kubernetes-extra-1.17.13-4.21.2.x86_64", }, }, { category: "product_version", name: "kubernetes-kubeadm-1.17.13-4.21.2.x86_64", product: { name: "kubernetes-kubeadm-1.17.13-4.21.2.x86_64", product_id: "kubernetes-kubeadm-1.17.13-4.21.2.x86_64", }, }, { category: "product_version", name: "kubernetes-kubelet-1.17.13-4.21.2.x86_64", product: { name: "kubernetes-kubelet-1.17.13-4.21.2.x86_64", product_id: "kubernetes-kubelet-1.17.13-4.21.2.x86_64", }, }, { category: "product_version", name: "kubernetes-master-1.17.13-4.21.2.x86_64", product: { name: "kubernetes-master-1.17.13-4.21.2.x86_64", product_id: "kubernetes-master-1.17.13-4.21.2.x86_64", }, }, { category: "product_version", name: "kubernetes-node-1.17.13-4.21.2.x86_64", product: { name: "kubernetes-node-1.17.13-4.21.2.x86_64", product_id: "kubernetes-node-1.17.13-4.21.2.x86_64", }, }, { category: "product_version", name: "kucero-1.3.0-1.3.1.x86_64", product: { name: "kucero-1.3.0-1.3.1.x86_64", product_id: "kucero-1.3.0-1.3.1.x86_64", }, }, { category: "product_version", name: "skuba-1.4.11-3.49.2.x86_64", product: { name: "skuba-1.4.11-3.49.2.x86_64", product_id: "skuba-1.4.11-3.49.2.x86_64", }, }, { category: "product_version", name: "terraform-provider-aws-2.59.0-1.6.1.x86_64", product: { name: "terraform-provider-aws-2.59.0-1.6.1.x86_64", product_id: "terraform-provider-aws-2.59.0-1.6.1.x86_64", }, }, ], category: "architecture", name: "x86_64", }, { branches: [ { category: "product_name", name: "SUSE Linux Enterprise Module for Containers 15 SP1", product: { name: "SUSE Linux Enterprise Module for Containers 15 SP1", product_id: "SUSE Linux Enterprise Module for Containers 15 SP1", product_identification_helper: { cpe: "cpe:/o:suse:sle-module-containers:15:sp1", }, }, }, ], category: "product_family", name: "SUSE Linux Enterprise", }, ], category: "vendor", name: "SUSE", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "kubernetes-client-1.17.13-4.21.2.x86_64 as component of SUSE Linux Enterprise Module for Containers 15 SP1", product_id: "SUSE Linux Enterprise Module for Containers 15 SP1:kubernetes-client-1.17.13-4.21.2.x86_64", }, product_reference: "kubernetes-client-1.17.13-4.21.2.x86_64", relates_to_product_reference: "SUSE Linux Enterprise Module for Containers 15 SP1", }, { category: "default_component_of", full_product_name: { name: "kubernetes-common-1.17.13-4.21.2.x86_64 as component of SUSE Linux Enterprise Module for Containers 15 SP1", product_id: "SUSE Linux Enterprise Module for Containers 15 SP1:kubernetes-common-1.17.13-4.21.2.x86_64", }, product_reference: "kubernetes-common-1.17.13-4.21.2.x86_64", relates_to_product_reference: "SUSE Linux Enterprise Module for Containers 15 SP1", }, ], }, vulnerabilities: [ { cve: "CVE-2020-15106", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-15106", }, ], notes: [ { category: "general", text: "In etcd before versions 3.3.23 and 3.4.10, a large slice causes panic in decodeRecord method. The size of a record is stored in the length field of a WAL file and no additional validation is done on this data. Therefore, it is possible to forge an extremely large frame size that can unintentionally panic at the expense of any RAFT participant trying to decode the WAL.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Linux Enterprise Module for Containers 15 SP1:kubernetes-client-1.17.13-4.21.2.x86_64", "SUSE Linux Enterprise Module for Containers 15 SP1:kubernetes-common-1.17.13-4.21.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-15106", url: "https://www.suse.com/security/cve/CVE-2020-15106", }, { category: "external", summary: "SUSE Bug 1174951 for CVE-2020-15106", url: "https://bugzilla.suse.com/1174951", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Linux Enterprise Module for Containers 15 SP1:kubernetes-client-1.17.13-4.21.2.x86_64", "SUSE Linux Enterprise Module for Containers 15 SP1:kubernetes-common-1.17.13-4.21.2.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 5.3, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "SUSE Linux Enterprise Module for Containers 15 SP1:kubernetes-client-1.17.13-4.21.2.x86_64", "SUSE Linux Enterprise Module for Containers 15 SP1:kubernetes-common-1.17.13-4.21.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2020-12-23T08:18:56Z", details: "moderate", }, ], title: "CVE-2020-15106", }, { cve: "CVE-2020-15112", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-15112", }, ], notes: [ { category: "general", text: "In etcd before versions 3.3.23 and 3.4.10, it is possible to have an entry index greater then the number of entries in the ReadAll method in wal/wal.go. This could cause issues when WAL entries are being read during consensus as an arbitrary etcd consensus participant could go down from a runtime panic when reading the entry.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Linux Enterprise Module for Containers 15 SP1:kubernetes-client-1.17.13-4.21.2.x86_64", "SUSE Linux Enterprise Module for Containers 15 SP1:kubernetes-common-1.17.13-4.21.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-15112", url: "https://www.suse.com/security/cve/CVE-2020-15112", }, { category: "external", summary: "SUSE Bug 1174951 for CVE-2020-15112", url: "https://bugzilla.suse.com/1174951", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Linux Enterprise Module for Containers 15 SP1:kubernetes-client-1.17.13-4.21.2.x86_64", "SUSE Linux Enterprise Module for Containers 15 SP1:kubernetes-common-1.17.13-4.21.2.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 5.3, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "SUSE Linux Enterprise Module for Containers 15 SP1:kubernetes-client-1.17.13-4.21.2.x86_64", "SUSE Linux Enterprise Module for Containers 15 SP1:kubernetes-common-1.17.13-4.21.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2020-12-23T08:18:56Z", details: "moderate", }, ], title: "CVE-2020-15112", }, { cve: "CVE-2020-15184", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-15184", }, ], notes: [ { category: "general", text: "In Helm before versions 2.16.11 and 3.3.2 there is a bug in which the `alias` field on a `Chart.yaml` is not properly sanitized. This could lead to the injection of unwanted information into a chart. This issue has been patched in Helm 3.3.2 and 2.16.11. A possible workaround is to manually review the `dependencies` field of any untrusted chart, verifying that the `alias` field is either not used, or (if used) does not contain newlines or path characters.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Linux Enterprise Module for Containers 15 SP1:kubernetes-client-1.17.13-4.21.2.x86_64", "SUSE Linux Enterprise Module for Containers 15 SP1:kubernetes-common-1.17.13-4.21.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-15184", url: "https://www.suse.com/security/cve/CVE-2020-15184", }, { category: "external", summary: "SUSE Bug 1176755 for CVE-2020-15184", url: "https://bugzilla.suse.com/1176755", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Linux Enterprise Module for Containers 15 SP1:kubernetes-client-1.17.13-4.21.2.x86_64", "SUSE Linux Enterprise Module for Containers 15 SP1:kubernetes-common-1.17.13-4.21.2.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 2.7, baseSeverity: "LOW", vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, products: [ "SUSE Linux Enterprise Module for Containers 15 SP1:kubernetes-client-1.17.13-4.21.2.x86_64", "SUSE Linux Enterprise Module for Containers 15 SP1:kubernetes-common-1.17.13-4.21.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2020-12-23T08:18:56Z", details: "low", }, ], title: "CVE-2020-15184", }, { cve: "CVE-2020-15185", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-15185", }, ], notes: [ { category: "general", text: "In Helm before versions 2.16.11 and 3.3.2, a Helm repository can contain duplicates of the same chart, with the last one always used. If a repository is compromised, this lowers the level of access that an attacker needs to inject a bad chart into a repository. To perform this attack, an attacker must have write access to the index file (which can occur during a MITM attack on a non-SSL connection). This issue has been patched in Helm 3.3.2 and 2.16.11. A possible workaround is to manually review the index file in the Helm repository cache before installing software.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Linux Enterprise Module for Containers 15 SP1:kubernetes-client-1.17.13-4.21.2.x86_64", "SUSE Linux Enterprise Module for Containers 15 SP1:kubernetes-common-1.17.13-4.21.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-15185", url: "https://www.suse.com/security/cve/CVE-2020-15185", }, { category: "external", summary: "SUSE Bug 1176754 for CVE-2020-15185", url: "https://bugzilla.suse.com/1176754", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Linux Enterprise Module for Containers 15 SP1:kubernetes-client-1.17.13-4.21.2.x86_64", "SUSE Linux Enterprise Module for Containers 15 SP1:kubernetes-common-1.17.13-4.21.2.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 2.2, baseSeverity: "LOW", vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, products: [ "SUSE Linux Enterprise Module for Containers 15 SP1:kubernetes-client-1.17.13-4.21.2.x86_64", "SUSE Linux Enterprise Module for Containers 15 SP1:kubernetes-common-1.17.13-4.21.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2020-12-23T08:18:56Z", details: "low", }, ], title: "CVE-2020-15185", }, { cve: "CVE-2020-15186", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-15186", }, ], notes: [ { category: "general", text: "In Helm before versions 2.16.11 and 3.3.2 plugin names are not sanitized properly. As a result, a malicious plugin author could use characters in a plugin name that would result in unexpected behavior, such as duplicating the name of another plugin or spoofing the output to `helm --help`. This issue has been patched in Helm 3.3.2. A possible workaround is to not install untrusted Helm plugins. Examine the `name` field in the `plugin.yaml` file for a plugin, looking for characters outside of the [a-zA-Z0-9._-] range.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Linux Enterprise Module for Containers 15 SP1:kubernetes-client-1.17.13-4.21.2.x86_64", "SUSE Linux Enterprise Module for Containers 15 SP1:kubernetes-common-1.17.13-4.21.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-15186", url: "https://www.suse.com/security/cve/CVE-2020-15186", }, { category: "external", summary: "SUSE Bug 1176753 for CVE-2020-15186", url: "https://bugzilla.suse.com/1176753", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Linux Enterprise Module for Containers 15 SP1:kubernetes-client-1.17.13-4.21.2.x86_64", "SUSE Linux Enterprise Module for Containers 15 SP1:kubernetes-common-1.17.13-4.21.2.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 3.4, baseSeverity: "LOW", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N", version: "3.1", }, products: [ "SUSE Linux Enterprise Module for Containers 15 SP1:kubernetes-client-1.17.13-4.21.2.x86_64", "SUSE Linux Enterprise Module for Containers 15 SP1:kubernetes-common-1.17.13-4.21.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2020-12-23T08:18:56Z", details: "low", }, ], title: "CVE-2020-15186", }, { cve: "CVE-2020-15187", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-15187", }, ], notes: [ { category: "general", text: "In Helm before versions 2.16.11 and 3.3.2, a Helm plugin can contain duplicates of the same entry, with the last one always used. If a plugin is compromised, this lowers the level of access that an attacker needs to modify a plugin's install hooks, causing a local execution attack. To perform this attack, an attacker must have write access to the git repository or plugin archive (.tgz) while being downloaded (which can occur during a MITM attack on a non-SSL connection). This issue has been patched in Helm 2.16.11 and Helm 3.3.2. As a possible workaround make sure to install plugins using a secure connection protocol like SSL.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Linux Enterprise Module for Containers 15 SP1:kubernetes-client-1.17.13-4.21.2.x86_64", "SUSE Linux Enterprise Module for Containers 15 SP1:kubernetes-common-1.17.13-4.21.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-15187", url: "https://www.suse.com/security/cve/CVE-2020-15187", }, { category: "external", summary: "SUSE Bug 1176752 for CVE-2020-15187", url: "https://bugzilla.suse.com/1176752", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Linux Enterprise Module for Containers 15 SP1:kubernetes-client-1.17.13-4.21.2.x86_64", "SUSE Linux Enterprise Module for Containers 15 SP1:kubernetes-common-1.17.13-4.21.2.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 3, baseSeverity: "LOW", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N", version: "3.1", }, products: [ "SUSE Linux Enterprise Module for Containers 15 SP1:kubernetes-client-1.17.13-4.21.2.x86_64", "SUSE Linux Enterprise Module for Containers 15 SP1:kubernetes-common-1.17.13-4.21.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2020-12-23T08:18:56Z", details: "low", }, ], title: "CVE-2020-15187", }, { cve: "CVE-2020-8565", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-8565", }, ], notes: [ { category: "general", text: "In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl. This affects <= v1.19.3, <= v1.18.10, <= v1.17.13, < v1.20.0-alpha2.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Linux Enterprise Module for Containers 15 SP1:kubernetes-client-1.17.13-4.21.2.x86_64", "SUSE Linux Enterprise Module for Containers 15 SP1:kubernetes-common-1.17.13-4.21.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-8565", url: "https://www.suse.com/security/cve/CVE-2020-8565", }, { category: "external", summary: "SUSE Bug 1177661 for CVE-2020-8565", url: "https://bugzilla.suse.com/1177661", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Linux Enterprise Module for Containers 15 SP1:kubernetes-client-1.17.13-4.21.2.x86_64", "SUSE Linux Enterprise Module for Containers 15 SP1:kubernetes-common-1.17.13-4.21.2.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 4.7, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "SUSE Linux Enterprise Module for Containers 15 SP1:kubernetes-client-1.17.13-4.21.2.x86_64", "SUSE Linux Enterprise Module for Containers 15 SP1:kubernetes-common-1.17.13-4.21.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2020-12-23T08:18:56Z", details: "moderate", }, ], title: "CVE-2020-8565", }, { cve: "CVE-2020-8566", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-8566", }, ], notes: [ { category: "general", text: "In Kubernetes clusters using Ceph RBD as a storage provisioner, with logging level of at least 4, Ceph RBD admin secrets can be written to logs. This occurs in kube-controller-manager's logs during provisioning of Ceph RBD persistent claims. This affects < v1.19.3, < v1.18.10, < v1.17.13.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Linux Enterprise Module for Containers 15 SP1:kubernetes-client-1.17.13-4.21.2.x86_64", "SUSE Linux Enterprise Module for Containers 15 SP1:kubernetes-common-1.17.13-4.21.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-8566", url: "https://www.suse.com/security/cve/CVE-2020-8566", }, { category: "external", summary: "SUSE Bug 1177662 for CVE-2020-8566", url: "https://bugzilla.suse.com/1177662", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Linux Enterprise Module for Containers 15 SP1:kubernetes-client-1.17.13-4.21.2.x86_64", "SUSE Linux Enterprise Module for Containers 15 SP1:kubernetes-common-1.17.13-4.21.2.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 4.7, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "SUSE Linux Enterprise Module for Containers 15 SP1:kubernetes-client-1.17.13-4.21.2.x86_64", "SUSE Linux Enterprise Module for Containers 15 SP1:kubernetes-common-1.17.13-4.21.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2020-12-23T08:18:56Z", details: "moderate", }, ], title: "CVE-2020-8566", }, ], }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
Title of the comment
Description of the comment
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.