kubernetes-apiserver-1.22.2-21.2 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10901-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z kubernetes-apiserver-1.22.2-21.2 on GA media These are all security issues fixed in the kubernetes-apiserver-1.22.2-21.2 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10901 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2016-5195/ SUSE CVE CVE-2016-5195 page https://www.suse.com/security/cve/CVE-2016-8859/ SUSE CVE CVE-2016-8859 page https://www.suse.com/security/cve/CVE-2017-1002101/ SUSE CVE CVE-2017-1002101 page https://www.suse.com/security/cve/CVE-2018-1002105/ SUSE CVE CVE-2018-1002105 page https://www.suse.com/security/cve/CVE-2019-11247/ SUSE CVE CVE-2019-11247 page https://www.suse.com/security/cve/CVE-2019-11249/ SUSE CVE CVE-2019-11249 page https://www.suse.com/security/cve/CVE-2019-11253/ SUSE CVE CVE-2019-11253 page https://www.suse.com/security/cve/CVE-2019-9512/ SUSE CVE CVE-2019-9512 page openSUSE Tumbleweed kubernetes-apiserver-1.22.2-21.2 kubernetes-apiserver-minus1-1.21.5-21.2 kubernetes-client-1.22.2-21.2 kubernetes-controller-manager-1.22.2-21.2 kubernetes-controller-manager-minus1-1.21.5-21.2 kubernetes-coredns-1.8.4-21.2 kubernetes-coredns-minus1-1.8.0-21.2 kubernetes-etcd-3.5.0-21.2 kubernetes-etcd-minus1-3.4.13-21.2 kubernetes-kubeadm-1.22.2-21.2 kubernetes-kubelet-1.22.2-21.2 kubernetes-proxy-1.22.2-21.2 kubernetes-proxy-minus1-1.21.5-21.2 kubernetes-scheduler-1.22.2-21.2 kubernetes-scheduler-minus1-1.21.5-21.2 kubernetes-apiserver-1.22.2-21.2 as a component of openSUSE Tumbleweed kubernetes-apiserver-minus1-1.21.5-21.2 as a component of openSUSE Tumbleweed kubernetes-client-1.22.2-21.2 as a component of openSUSE Tumbleweed kubernetes-controller-manager-1.22.2-21.2 as a component of openSUSE Tumbleweed kubernetes-controller-manager-minus1-1.21.5-21.2 as a component of openSUSE Tumbleweed kubernetes-coredns-1.8.4-21.2 as a component of openSUSE Tumbleweed kubernetes-coredns-minus1-1.8.0-21.2 as a component of openSUSE Tumbleweed kubernetes-etcd-3.5.0-21.2 as a component of openSUSE Tumbleweed kubernetes-etcd-minus1-3.4.13-21.2 as a component of openSUSE Tumbleweed kubernetes-kubeadm-1.22.2-21.2 as a component of openSUSE Tumbleweed kubernetes-kubelet-1.22.2-21.2 as a component of openSUSE Tumbleweed kubernetes-proxy-1.22.2-21.2 as a component of openSUSE Tumbleweed kubernetes-proxy-minus1-1.21.5-21.2 as a component of openSUSE Tumbleweed kubernetes-scheduler-1.22.2-21.2 as a component of openSUSE Tumbleweed kubernetes-scheduler-minus1-1.21.5-21.2 as a component of openSUSE Tumbleweed Race condition in mm/gup.c in the Linux kernel 2.x through 4.x before 4.8.3 allows local users to gain privileges by leveraging incorrect handling of a copy-on-write (COW) feature to write to a read-only memory mapping, as exploited in the wild in October 2016, aka "Dirty COW." CVE-2016-5195 openSUSE Tumbleweed:kubernetes-apiserver-1.22.2-21.2 openSUSE Tumbleweed:kubernetes-apiserver-minus1-1.21.5-21.2 openSUSE Tumbleweed:kubernetes-client-1.22.2-21.2 openSUSE Tumbleweed:kubernetes-controller-manager-1.22.2-21.2 openSUSE Tumbleweed:kubernetes-controller-manager-minus1-1.21.5-21.2 openSUSE Tumbleweed:kubernetes-coredns-1.8.4-21.2 openSUSE Tumbleweed:kubernetes-coredns-minus1-1.8.0-21.2 openSUSE Tumbleweed:kubernetes-etcd-3.5.0-21.2 openSUSE Tumbleweed:kubernetes-etcd-minus1-3.4.13-21.2 openSUSE Tumbleweed:kubernetes-kubeadm-1.22.2-21.2 openSUSE Tumbleweed:kubernetes-kubelet-1.22.2-21.2 openSUSE Tumbleweed:kubernetes-proxy-1.22.2-21.2 openSUSE Tumbleweed:kubernetes-proxy-minus1-1.21.5-21.2 openSUSE Tumbleweed:kubernetes-scheduler-1.22.2-21.2 openSUSE Tumbleweed:kubernetes-scheduler-minus1-1.21.5-21.2 important 6.6 AV:L/AC:M/Au:S/C:C/I:C/A:C 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-5195.html CVE-2016-5195 https://bugzilla.suse.com/1004418 SUSE Bug 1004418 https://bugzilla.suse.com/1004419 SUSE Bug 1004419 https://bugzilla.suse.com/1004436 SUSE Bug 1004436 https://bugzilla.suse.com/1006323 SUSE Bug 1006323 https://bugzilla.suse.com/1006695 SUSE Bug 1006695 https://bugzilla.suse.com/1007291 SUSE Bug 1007291 https://bugzilla.suse.com/1008110 SUSE Bug 1008110 https://bugzilla.suse.com/1030118 SUSE Bug 1030118 https://bugzilla.suse.com/1046453 SUSE Bug 1046453 https://bugzilla.suse.com/1069496 SUSE Bug 1069496 https://bugzilla.suse.com/1149725 SUSE Bug 1149725 https://bugzilla.suse.com/870618 SUSE Bug 870618 https://bugzilla.suse.com/986445 SUSE Bug 986445 https://bugzilla.suse.com/998689 SUSE Bug 998689 Multiple integer overflows in the TRE library and musl libc allow attackers to cause memory corruption via a large number of (1) states or (2) tags, which triggers an out-of-bounds write. CVE-2016-8859 openSUSE Tumbleweed:kubernetes-apiserver-1.22.2-21.2 openSUSE Tumbleweed:kubernetes-apiserver-minus1-1.21.5-21.2 openSUSE Tumbleweed:kubernetes-client-1.22.2-21.2 openSUSE Tumbleweed:kubernetes-controller-manager-1.22.2-21.2 openSUSE Tumbleweed:kubernetes-controller-manager-minus1-1.21.5-21.2 openSUSE Tumbleweed:kubernetes-coredns-1.8.4-21.2 openSUSE Tumbleweed:kubernetes-coredns-minus1-1.8.0-21.2 openSUSE Tumbleweed:kubernetes-etcd-3.5.0-21.2 openSUSE Tumbleweed:kubernetes-etcd-minus1-3.4.13-21.2 openSUSE Tumbleweed:kubernetes-kubeadm-1.22.2-21.2 openSUSE Tumbleweed:kubernetes-kubelet-1.22.2-21.2 openSUSE Tumbleweed:kubernetes-proxy-1.22.2-21.2 openSUSE Tumbleweed:kubernetes-proxy-minus1-1.21.5-21.2 openSUSE Tumbleweed:kubernetes-scheduler-1.22.2-21.2 openSUSE Tumbleweed:kubernetes-scheduler-minus1-1.21.5-21.2 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-8859.html CVE-2016-8859 https://bugzilla.suse.com/1005483 SUSE Bug 1005483 In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, 1.8.9 and 1.9.4 containers using subpath volume mounts with any volume type (including non-privileged pods, subject to file permissions) can access files/directories outside of the volume, including the host's filesystem. CVE-2017-1002101 openSUSE Tumbleweed:kubernetes-apiserver-1.22.2-21.2 openSUSE Tumbleweed:kubernetes-apiserver-minus1-1.21.5-21.2 openSUSE Tumbleweed:kubernetes-client-1.22.2-21.2 openSUSE Tumbleweed:kubernetes-controller-manager-1.22.2-21.2 openSUSE Tumbleweed:kubernetes-controller-manager-minus1-1.21.5-21.2 openSUSE Tumbleweed:kubernetes-coredns-1.8.4-21.2 openSUSE Tumbleweed:kubernetes-coredns-minus1-1.8.0-21.2 openSUSE Tumbleweed:kubernetes-etcd-3.5.0-21.2 openSUSE Tumbleweed:kubernetes-etcd-minus1-3.4.13-21.2 openSUSE Tumbleweed:kubernetes-kubeadm-1.22.2-21.2 openSUSE Tumbleweed:kubernetes-kubelet-1.22.2-21.2 openSUSE Tumbleweed:kubernetes-proxy-1.22.2-21.2 openSUSE Tumbleweed:kubernetes-proxy-minus1-1.21.5-21.2 openSUSE Tumbleweed:kubernetes-scheduler-1.22.2-21.2 openSUSE Tumbleweed:kubernetes-scheduler-minus1-1.21.5-21.2 important 5.5 AV:N/AC:L/Au:S/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-1002101.html CVE-2017-1002101 https://bugzilla.suse.com/1084923 SUSE Bug 1084923 https://bugzilla.suse.com/1085007 SUSE Bug 1085007 https://bugzilla.suse.com/1085009 SUSE Bug 1085009 https://bugzilla.suse.com/1096726 SUSE Bug 1096726 In all Kubernetes versions prior to v1.10.11, v1.11.5, and v1.12.3, incorrect handling of error responses to proxied upgrade requests in the kube-apiserver allowed specially crafted requests to establish a connection through the Kubernetes API server to backend servers, then send arbitrary requests over the same connection directly to the backend, authenticated with the Kubernetes API server's TLS credentials used to establish the backend connection. CVE-2018-1002105 openSUSE Tumbleweed:kubernetes-apiserver-1.22.2-21.2 openSUSE Tumbleweed:kubernetes-apiserver-minus1-1.21.5-21.2 openSUSE Tumbleweed:kubernetes-client-1.22.2-21.2 openSUSE Tumbleweed:kubernetes-controller-manager-1.22.2-21.2 openSUSE Tumbleweed:kubernetes-controller-manager-minus1-1.21.5-21.2 openSUSE Tumbleweed:kubernetes-coredns-1.8.4-21.2 openSUSE Tumbleweed:kubernetes-coredns-minus1-1.8.0-21.2 openSUSE Tumbleweed:kubernetes-etcd-3.5.0-21.2 openSUSE Tumbleweed:kubernetes-etcd-minus1-3.4.13-21.2 openSUSE Tumbleweed:kubernetes-kubeadm-1.22.2-21.2 openSUSE Tumbleweed:kubernetes-kubelet-1.22.2-21.2 openSUSE Tumbleweed:kubernetes-proxy-1.22.2-21.2 openSUSE Tumbleweed:kubernetes-proxy-minus1-1.21.5-21.2 openSUSE Tumbleweed:kubernetes-scheduler-1.22.2-21.2 openSUSE Tumbleweed:kubernetes-scheduler-minus1-1.21.5-21.2 critical 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-1002105.html CVE-2018-1002105 https://bugzilla.suse.com/1118198 SUSE Bug 1118198 https://bugzilla.suse.com/1118260 SUSE Bug 1118260 The Kubernetes kube-apiserver mistakenly allows access to a cluster-scoped custom resource if the request is made as if the resource were namespaced. Authorizations for the resource accessed in this manner are enforced using roles and role bindings within the namespace, meaning that a user with access only to a resource in one namespace could create, view update or delete the cluster-scoped resource (according to their namespace role privileges). Kubernetes affected versions include versions prior to 1.13.9, versions prior to 1.14.5, versions prior to 1.15.2, and versions 1.7, 1.8, 1.9, 1.10, 1.11, 1.12. CVE-2019-11247 openSUSE Tumbleweed:kubernetes-apiserver-1.22.2-21.2 openSUSE Tumbleweed:kubernetes-apiserver-minus1-1.21.5-21.2 openSUSE Tumbleweed:kubernetes-client-1.22.2-21.2 openSUSE Tumbleweed:kubernetes-controller-manager-1.22.2-21.2 openSUSE Tumbleweed:kubernetes-controller-manager-minus1-1.21.5-21.2 openSUSE Tumbleweed:kubernetes-coredns-1.8.4-21.2 openSUSE Tumbleweed:kubernetes-coredns-minus1-1.8.0-21.2 openSUSE Tumbleweed:kubernetes-etcd-3.5.0-21.2 openSUSE Tumbleweed:kubernetes-etcd-minus1-3.4.13-21.2 openSUSE Tumbleweed:kubernetes-kubeadm-1.22.2-21.2 openSUSE Tumbleweed:kubernetes-kubelet-1.22.2-21.2 openSUSE Tumbleweed:kubernetes-proxy-1.22.2-21.2 openSUSE Tumbleweed:kubernetes-proxy-minus1-1.21.5-21.2 openSUSE Tumbleweed:kubernetes-scheduler-1.22.2-21.2 openSUSE Tumbleweed:kubernetes-scheduler-minus1-1.21.5-21.2 moderate 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-11247.html CVE-2019-11247 https://bugzilla.suse.com/1142423 SUSE Bug 1142423 https://bugzilla.suse.com/1142434 SUSE Bug 1142434 The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes runs tar inside the container to create a tar archive, copies it over the network, and kubectl unpacks it on the user's machine. If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on the user's machine when kubectl cp is called, limited only by the system permissions of the local user. Kubernetes affected versions include versions prior to 1.13.9, versions prior to 1.14.5, versions prior to 1.15.2, and versions 1.1, 1.2, 1.4, 1.4, 1.5, 1.6, 1.7, 1.8, 1.9, 1.10, 1.11, 1.12. CVE-2019-11249 openSUSE Tumbleweed:kubernetes-apiserver-1.22.2-21.2 openSUSE Tumbleweed:kubernetes-apiserver-minus1-1.21.5-21.2 openSUSE Tumbleweed:kubernetes-client-1.22.2-21.2 openSUSE Tumbleweed:kubernetes-controller-manager-1.22.2-21.2 openSUSE Tumbleweed:kubernetes-controller-manager-minus1-1.21.5-21.2 openSUSE Tumbleweed:kubernetes-coredns-1.8.4-21.2 openSUSE Tumbleweed:kubernetes-coredns-minus1-1.8.0-21.2 openSUSE Tumbleweed:kubernetes-etcd-3.5.0-21.2 openSUSE Tumbleweed:kubernetes-etcd-minus1-3.4.13-21.2 openSUSE Tumbleweed:kubernetes-kubeadm-1.22.2-21.2 openSUSE Tumbleweed:kubernetes-kubelet-1.22.2-21.2 openSUSE Tumbleweed:kubernetes-proxy-1.22.2-21.2 openSUSE Tumbleweed:kubernetes-proxy-minus1-1.21.5-21.2 openSUSE Tumbleweed:kubernetes-scheduler-1.22.2-21.2 openSUSE Tumbleweed:kubernetes-scheduler-minus1-1.21.5-21.2 moderate 5.8 AV:N/AC:M/Au:N/C:N/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-11249.html CVE-2019-11249 https://bugzilla.suse.com/1144507 SUSE Bug 1144507 Improper input validation in the Kubernetes API server in versions v1.0-1.12 and versions prior to v1.13.12, v1.14.8, v1.15.5, and v1.16.2 allows authorized users to send malicious YAML or JSON payloads, causing the API server to consume excessive CPU or memory, potentially crashing and becoming unavailable. Prior to v1.14.0, default RBAC policy authorized anonymous users to submit requests that could trigger this vulnerability. Clusters upgraded from a version prior to v1.14.0 keep the more permissive policy by default for backwards compatibility. CVE-2019-11253 openSUSE Tumbleweed:kubernetes-apiserver-1.22.2-21.2 openSUSE Tumbleweed:kubernetes-apiserver-minus1-1.21.5-21.2 openSUSE Tumbleweed:kubernetes-client-1.22.2-21.2 openSUSE Tumbleweed:kubernetes-controller-manager-1.22.2-21.2 openSUSE Tumbleweed:kubernetes-controller-manager-minus1-1.21.5-21.2 openSUSE Tumbleweed:kubernetes-coredns-1.8.4-21.2 openSUSE Tumbleweed:kubernetes-coredns-minus1-1.8.0-21.2 openSUSE Tumbleweed:kubernetes-etcd-3.5.0-21.2 openSUSE Tumbleweed:kubernetes-etcd-minus1-3.4.13-21.2 openSUSE Tumbleweed:kubernetes-kubeadm-1.22.2-21.2 openSUSE Tumbleweed:kubernetes-kubelet-1.22.2-21.2 openSUSE Tumbleweed:kubernetes-proxy-1.22.2-21.2 openSUSE Tumbleweed:kubernetes-proxy-minus1-1.21.5-21.2 openSUSE Tumbleweed:kubernetes-scheduler-1.22.2-21.2 openSUSE Tumbleweed:kubernetes-scheduler-minus1-1.21.5-21.2 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-11253.html CVE-2019-11253 https://bugzilla.suse.com/1152861 SUSE Bug 1152861 Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. CVE-2019-9512 openSUSE Tumbleweed:kubernetes-apiserver-1.22.2-21.2 openSUSE Tumbleweed:kubernetes-apiserver-minus1-1.21.5-21.2 openSUSE Tumbleweed:kubernetes-client-1.22.2-21.2 openSUSE Tumbleweed:kubernetes-controller-manager-1.22.2-21.2 openSUSE Tumbleweed:kubernetes-controller-manager-minus1-1.21.5-21.2 openSUSE Tumbleweed:kubernetes-coredns-1.8.4-21.2 openSUSE Tumbleweed:kubernetes-coredns-minus1-1.8.0-21.2 openSUSE Tumbleweed:kubernetes-etcd-3.5.0-21.2 openSUSE Tumbleweed:kubernetes-etcd-minus1-3.4.13-21.2 openSUSE Tumbleweed:kubernetes-kubeadm-1.22.2-21.2 openSUSE Tumbleweed:kubernetes-kubelet-1.22.2-21.2 openSUSE Tumbleweed:kubernetes-proxy-1.22.2-21.2 openSUSE Tumbleweed:kubernetes-proxy-minus1-1.21.5-21.2 openSUSE Tumbleweed:kubernetes-scheduler-1.22.2-21.2 openSUSE Tumbleweed:kubernetes-scheduler-minus1-1.21.5-21.2 important 7.8 AV:N/AC:L/Au:N/C:N/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-9512.html CVE-2019-9512 https://bugzilla.suse.com/1145663 SUSE Bug 1145663 https://bugzilla.suse.com/1146099 SUSE Bug 1146099 https://bugzilla.suse.com/1146111 SUSE Bug 1146111 https://bugzilla.suse.com/1147142 SUSE Bug 1147142