July 02, 2019 2:00 PM PDT
CVE Identifier: CVE-2019-11246
AWS is aware of a security issue (CVE-2019-11246) in the Kubernetes kubectl tool that could allow a malicious container to replace or create files on a user's workstation.
If a user were to run an untrusted container containing a malicious version of the tar command and execute the kubectl cp operation, the kubectl binary unpacking the tar file could overwrite or create files on a user's workstation.
AWS customers should refrain from using untrusted containers. If customers use an untrusted container and use the kubectl tool to manage their Kubernetes clusters, they should refrain from running the kubectl cp command using the affected versions and update to the latest kubectl version.
Updating Kubectl
AWS currently vends kubectl for customers to download in the EKS service S3 bucket, as well as shipping the binary in our managed AMI.
1.10.x: Versions of kubectl vended by AWS 1.10.13 or earlier are affected. We recommend that you update to kubectl version 1.11.10.
1.11.x: Versions of kubectl vended by AWS 1.11.9 or earlier are affected. We recommend that you update to kubectl version 1.11.10..
1.12.x: Versions of kubectl vended by AWS 1.12.7 or earlier are affected. We recommend that you update to kubectl version 1.12.9.
1.13.x: kubectl 1.13.7 vended by AWS is not impacted.
EKS-optimized AMIs
The EKS-optimized AMIs for Kubernetes versions 1.10.13, 1.11.9, and 1.12.7 currently contain affected versions of kubectl.
New versions of the EKS-optimized AMIs will be released today and will no longer include the kubectl binary. EKS AMI does not rely on kubectl binary and it was previously provided as a convenience. Customers relying on kubectl being present in the AMI will need to install it themselves when upgrading to the new AMI. In the meantime, users should update the kubectl version manually on any running instantiation of the AMI before using it.