Last Updated: August 15, 2019 9:00AM PDT
CVE Identifier: CVE-2019-11249
AWS is aware of a security issue (CVE-2019-11249) which resolves incomplete fixes for CVE-2019-1002101 and CVE-2019-11246. Like the aforementioned CVEs, the issue is in the Kubernetes kubectl tool that could allow a malicious container to replace or create files on a user's workstation.
If a user were to run an untrusted container containing a malicious version of the tar command and execute the kubectl cp operation, the kubectl binary unpacking the tar file could overwrite or create files on a user's workstation.
AWS customers should refrain from using untrusted containers. If customers use an untrusted container and use the kubectl tool to manage their Kubernetes clusters, they should refrain from running the kubectl cp command using the affected versions and update to the latest kubectl version.
Updating Kubectl
Amazon Elastic Kubernetes Service (EKS) currently vends kubectl for customers to download from the EKS service S3 bucket. Download and install instructions can be found in the EKS Userguide. Customers can run the command "kubectl version --client" to discover which version they are using.
For a list of affected kubectl versions, and the recommended versions to which we recommend updating, please refer to the table below:
| AWS-vended kubectl Version | Affected Versions |
Recommended Version |
|---|---|---|
| 1.10.x | 1.10.13 and earlier | v1.11.10-eks-2ae91d |
| 1.11.x | 1.11.10 and earlier |
v1.11.10-eks-2ae91d |
| 1.12.x | 1.12.9 and earlier | v1.12.9-eks-f01a84 |
| 1.13.x | 1.13.7 and earlier |
v1.13.7-eks-fa4c70 |
EKS-optimized AMIs
The EKS-optimized AMIs for Kubernetes at version v20190701 no longer contain kubectl. Customers running v20190701 or newer are not impacted, and no action is required. Customers running a previous version of the EKS AMI should update to the latest EKS AMI.
CVE-2019-11246 was addressed in AWS-2019-006.