ELSA-2020-5654

ELSA-2020-5654 - kubernetes kubeadm-ha-setup kubeadm-upgrade security update

Type:SECURITY
Severity:IMPORTANT
Release Date:2020-04-17

Description


kubernetes
[1.12.10-1.0.11]
- [CVE-2019-11254] kube-apiserver Denial of Service vulnerability from malicious YAML payloads

[1.12.10-1.0.10]
- [CVE-2019-16276] Kubernetes Vulnerabilities Allow Authentication Bypass, DoS

[1.12.10-1.0.9]
- Define rolling update for flannel

[1.12.10-1.0.8]
- Modify flannel/dashboard image tags to use images that have the cve fix

[1.12.10-1.0.7]
- [CVE-2019-11253] Kubernetes API Server JSON/YAML parsing vulnerable to resource exhaustion attack

[1.12.10-1.0.6]
- [CVE-2019-16276] bump golang to 1.12.10

[1.12.10-1.0.5]
- added THIRD_PARTY_LICENSES.txt file

[1.12.10-1.0.4]
- fix for CVE-2019-11251

[1.12.10-1.0.3]
- replacing references to kubernetes-dashboard-amd64 with kubernetes-dashboard

[1.12.10-1.0.2]
- Added Oracle specific build files for Kubernetes

kubeadm-ha-setup
[0.0.2-1.0.69]
- [CVE-2019-11254] kube-apiserver Denial of Service vulnerability from malicious YAML payloads

[0.0.2-1.0.68]
- Pull image prior to update and fix image repo for addons

[0.0.2-1.0.67]
- Bump golang build version

[0.0.2-1.0.66]
- [CVE-2019-16276] Support patching flannel/dashboard on upgrade

[0.0.2-1.0.65]
- [CVE 2019-16276] Support deploygin 1.12 and 1.13 with CVE patched

[0.0.2-1.0.64]
- [CVE-2019-16276] Support patching etcd on upgrade

[0.0.2-1.0.63]
- [CVE-2019-16276] while upgrading a cluster patch the coredns image

[0.0.2-1.0.62]
- CVE-2019-16276 : Update flannel , etcd coredns and dashboard images.

[0.0.2-1.0.61]
- Added Support for 1.13.11 and removed support for 1.13.10

[0.0.2-1.0.59]
- Remove Support for 1.14.6

[0.0.2-1.0.58]
- Replacing reference to kubernetes-dashboard-amd64 with kubernetes-dashboard

[0.0.2-1.0.57]
- Support 1.12.10

[0.0.2-1.0.56]
- Support 1.14.6

[0.0.2-1.0.55]
- Support 1.13.10

[0.0.2-1.0.54]
- Support 1.13.9

[0.0.2-1.0.53]
- Mark 1.14 as a developer build

[0.0.2-1.0.52]
- Restore fails when trying to restore after a failed update

[0.0.2-1.0.51]
- Minor version update doesn't update kubeadm on all master nodes

[0.0.2-1.0.50]
- Make k8s 1.14 specific changes

[0.0.2-1.0.49]
- Remove 1.10 and 1.11 version since they are incompatable

[0.0.2-1.0.48]
- Support deploying 5 master nodes

[0.0.2-1.0.47]
- Only update/upgrade the controlplane images if they changed in the Release object

[0.0.2-1.0.46]
- Fix version comparison function during upgrade

[0.0.2-1.0.45]
- Fix rpm version compare
- Allow kubernetes updates for patch version

[0.0.2-1.0.44]
- Allow assume yes to deploy a single master without the prompt

[0.0.2-1.0.43]
- Post cluster creation should check only for master nodes

[0.0.2-1.0.42]
- Update keepalived check api server to ensure we are grepping the correct IP

[0.0.2-1.0.41]
- Make ha.yaml an optional argument in the cli for single master cluster

[0.0.2-1.0.40]
- Add pod cidr default and refactor ha.yaml example

[0.0.2-1.0.39]
- Remove features: feature1_13=true from config

[0.0.2-1.0.38]
- Default kubernetes version to latest production version

[0.0.2-1.0.37]
- Fix keepalived issue when firewalld is disable

[0.0.2-1.0.36]
- Default kubernetes version to latest production version

[0.0.2-1.0.35]
- Add addons template and config files

[0.0.2-1.0.34]
- Enhance tests

[0.0.2-1.0.33]
- fix regression of previous firewall fix

[0.0.2-1.0.32]
- Fix firewall issues during restore

[0.0.2-1.0.31]
- Fix firewall issues

[0.0.2-1.0.30]
- Enhance output while validating the system

[0.0.2-1.0.29]
- Fix DR in 1.13

[0.0.2-1.0.28]
- Fix apiserver_cert_extra_sans for 1.13 clusters

[0.0.2-1.0.27]
- Fix update/upgrade output message

[0.0.2-1.0.26]
- Fix major upgrade

[0.0.2-1.0.25]
- Add registry migration

[0.0.2-1.0.24]
- Return stdout and stderr from Run function to allow the caller decided what to display

[0.0.2-1.0.23]
- Proxy variable is inherited in remote master

[0.0.2-1.0.22]
- The Trim function doesn't work for replacing strings
- Upgrade should use the pause container instead of pause-amd64

[0.0.2-1.0.21]
- Include 1.12.7 image and update 1.13 and metric servers info

[0.0.2-1.0.20]
- Support new registries and allow for password to have a colon

[0.0.2-1.0.19]
- --force flag for full restore

[0.0.2-1.0.18]
- Change update help message

[0.0.2-1.0.17]
- Change update message, add ha install command and ask for confirmation

[0.0.2-1.0.16]
- Change upgrade command name to update

[0.0.2-1.0.15]
- Fix upgrade for point release

[0.0.2-1.0.14]
- Move file.go to config.go

[0.0.2-1.0.13]
- Feature Flag 1.13 code

[0.0.2-1.0.12]
- Add support of upgrading HA master nodes

[0.0.2-1.0.11]
- Support deploying Kubernetes version 1.13.2

[0.0.2-1.0.10]
- CVE-2018-16875

[0.0.2-1.0.9]
- Add timeout to Run() (gitlab issues #3)
- Rename path to linux-git.us.oracle.com/Kubernetes

[0.0.2-1.0.8]
- Remove releases.json dependency

[0.0.2-1.0.7]
- Pin dependent kubernetes packages

[0.0.2-1.0.6]
- Update deps for kube 1.13

[0.0.2-1.0.5]
- Add test runner in makefile and execute it in CI/CD

[0.0.2-1.0.4]
- Fix backup path issue again found by Tom Cocozzello

[0.0.2-1.0.3]
- [Orabug 29152516] Backup and restore /var/lib/kubelet/kubeadm-flags.env too
- Cleanup kube-ipvs0 interface too
- More code cleanup
- Use map for checking kernel module
- Fix client joining errors
- Addressing Tom Cocozzello's review
- Enabling IPVS in HA

[0.0.2-1.0.2]
- Update dashboard image (CVE-2018-18264)

[0.0.2-1.0.1]
- Allow Oracle certified addons to be installed via cli

[0.0.1-2.0.9]
- Use 'dep ensure' to clean up symlinks in the vendor directory

[0.0.1-2.0.5]
- Clean up un-used build scripts

[0.0.1-2.0.4]
- Add Makefile for building and testing code

[0.0.1-2.0.3]
- Fix file restore issue when it contains './'

[0.0.1-2.0.2]
- Resolve the full filepath when '.' is passed in
- Addressing review by Muminul Islam

[0.0.1-2.0.1]
- Remove 'firewall-cmd --reload' as it can hangs OCI
- Fix some errors reported by Shubham
- Error out if options is not currently supported in HandleEtcdOps
- Fix down issue
- Dump log output to /var/log/kubeadm-ha-setup

[0.0.1-1.0.37]
- Fix kubernetes version
- Include log printing when error occurs
- Fix client.go regression due to new down function

[0.0.1-1.0.36]
- Remove Godeps, using dep for now
- Check if image is not set before referencing
- Rename getEtcdConfigV2 to getEtcdConfig
- Adding down functionality
- Update ha.yaml file

[0.0.1-1.0.35]
- Removing etcd.go
- Addressing Tom Cocozzello review
- [Orabug 28977571]

[0.0.1-1.0.34]
- Enabling full restore on HA master and single master
- Cleanup
- Enable single master backup
- Double the context request timeout
- Implement retryable AddMember

[0.0.1-1.0.33]
- Modified DR for One node case to use new etcd API
- Enhanced the helper scripts such that it will error out
- HealthCheck re-implementation

[0.0.1-1.0.32]
- Update dashboard image

[0.0.1-1.0.31]
- Needs to be run as a privileged user
- Enable CoreDNS as default

[0.0.1-1.0.30]
- Enable single master setup

[0.0.1-1.0.29]
- Redesigned for setting up v1.12 HA clusters

[0.0.1-1.0.28]
- Fixes for v1.11
- Addressing Laszlo Peter review
- Addressing Daniel Krasinski review

[0.0.1-1.0.27]
- Fix build failure
- Add UPL LICENSE
- Fix the usage of defer
- Re-try when docker pull image gets a timeout
- Refactor SetupCreds()
- Remove --force flag for restore
- When something fail, we should lenghten the timeout time

[0.0.1-1.0.26]
- When context timed out catch it and print stdout, stderr

[0.0.1-1.0.25]
- Check output from docker client and probe for error

[0.0.1-1.0.24]
- Properly parse if repo has a special ':' character

[0.0.1-1.0.23]
- Checking the total nodes would be better implementation
- Fixup etcd add member errors

[0.0.1-1.0.22]
- Pod count could be >= 20
- Remove port 30000-32767/tcp check for client node
- Querying k8s cluster health instead of etcd for backup
- Cosmestic fix
- Etcd one node restore problems

[0.0.1-1.0.21]
- Check whether repo needs auth even in one node restore case
- Fixup the restore script
- docker pull image change in behavior in 18.03
- Include client side image repo checking too
- Provide a full repo path for comparison
- Make kubernetes_developer as the sample repo
- Use strings.Contains to compare strings
- Fix README
- Initial README
- Include changes in kube.go

[0.0.1-1.0.20]
- In OCI LB can takes time to setup properly
- Fix random string
- [Orabug 28445064]
- Replace RunCmdExec() with just Run()
- Sanity check for # of master
- Make kubeadm token default to be random

[0.0.1-1.0.19]
- Check if docker exec etcd returns Error
- Check env first before trying to pull image
- [Orabug 28461826]

[0.0.1-1.0.18]
- Fixing LB, kubelet, kubectl-proxy
- Add a DEBUG flag for more verbose output

[0.0.1-1.0.17]
- Don't loop forever in client, make Run() more consistent in master
- Fixup LB for OCI
- Add apiserver-bind-port capability

[0.0.1-1.0.17]
- Include apiserver_cert_extra_sans and service_cidr

[0.0.1-1.0.16]
- Include restoring keepalived for one and full restore
- For Full Restore we need to first clean up before anything else
- Clean up DR, make backup check etcd health first
- Properly clean-up flannel.1 and cni0

[0.0.1-1.0.15]
- DR code cleanup
- Changed permission on the created dir to 0755
- Fix filename not found error

[0.0.1-1.0.14]
- Don't panic()
- In One node restore case verify the ca.crt MD5SUM
- Full DR feature
- Redesign of the DR
- Include file and its line number for logging
- Put the binary full path
- Re-arrange varibles for ssh.go
- Separate etcd cli to another file (etcd.go)
- Addition to kubectl cli
- Check if MyIP for local node is missing/empty

[0.0.1-1.0.13]
- Replace binary names
- Include the ability to re-try master setup

[0.0.1-1.0.12]
- Renamed the whole REPO to kubeadm-ha-setup
- Don't print out more logs as necessary

[0.0.1-1.0.12]
- Enhance ssh/sftp code

[0.0.1-1.0.11]
- Change the storePath
- Include keepalived backup and change backup.sh/restore.sh

[0.0.1-1.0.10]
- Continuing on the restore part
- Make the script to query all KUBEDIR directory from a single file
- Consolidate KUBEDIR
- Make systemd related file 0644

[0.0.1-1.0.9]
- Fixup the hardcoded directory as such we are reading from only limited source
- Include the Docker API for restore
- Initial implementation of DR

[0.0.1-1.0.8]
- Fixup kubeadm-setup join
- systemctl enable kubelet

[0.0.1-1.0.7]
- Fix LoadBalancer to take care of extra steps

[0.0.1-1.0.6]
- Cleanup some stdout
- Add token field in ha.yaml for ease of automated setup

[0.0.1-1.0.5]
- If Loadbalancer is preferred/used

[0.0.1-1.0.4]
- Remove goroutine sleep - unnecessary
- Provides structure to store required files and cert files
- Fix merge errors

[0.0.1-1.0.3]
- Create /run/kubeadm w-w/o --skip

[0.0.1-1.0.2]
- NoHA and LoadBalancer

[0.0.1-1.0.1]
- Initial build

kubeadm-upgrade
[0.0.1-1.0.28]
-- [CVE-2019-11254] kube-apiserver Denial of Service vulnerability from malicious YAML payloads

[0.0.1-1.0.27]
-- [CVE-2019-16276] Kubernetes Vulnerabilities Allow Authentication Bypass, DoS

[0.0.1-1.0.26]
-- Create log folder before any log write or error exit [ orabug: 29806186 ]

[0.0.1-1.0.25]
-- Enforce exit on errors

[0.0.1-1.0.24]
-- Dashboard yaml location was moved in Kubernetes 1.12.7

[0.0.1-1.0.23]
-- Detect latest kubernetes version from yum

[0.0.1-1.0.22]
-- Bump up 1.12.7 version for coredns fix

[0.0.1-1.0.21]
-- CVE-2019-9946

[0.0.1-1.0.20]
-- CVE-2019-1002101

[0.0.1-1.0.19]
-- Bump up 1.12.6 version

[0.0.1-1.0.18]
-- Upgrade from 1.9 to 1.12 fails

[0.0.1-1.0.17]
-- Update the Kubernetes version to include the conntrack fix

[0.0.1-1.0.16]
-- CVE-2019-1002100

[0.0.1-1.0.15]
-- CVE-2018-1002105

[0.0.1-1.0.14]
-- Fix kube version for 1.10.5

[0.0.1-1.0.13]
-- Updating 1.10 and 1.11 version for CVE fixes
-- Include flannel and dashboard upgrade

[0.0.1-1.0.12]
-- Upgrade to 1.12.5-2.1.1

[0.0.1-1.0.11]
-- Upgrade to 1.12.5

[0.0.1-1.0.10]
-- Add license info to the script

[0.0.1-1.0.9]
-- Add license file

[0.0.1-1.0.8]
-- Fix the bug on number of CPU checking

[0.0.1-1.0.7]
-- Use install instead of update for a specifc 1.12 version

[0.0.1-1.0.6]
-- Upgrade cluster to 1.12.3-* version only

[0.0.1-1.0.5]
-- Add exit handler to gather logs on failure

[0.0.1-1.0.4]
-- Enhance logging and check return code after kubeadm apply. Checking CPU and Memory of the system

[0.0.1-1.0.3]
-- Change REPO_PREFIX to use a single repo, increased timeout during cluster health check

[0.0.1-1.0.2]
-- Added comments and fix rpm name

[0.0.1-1.0.1]
- Upgrade to 1.12.3


Related CVEs



Updated Packages


Release/ArchitectureFilenameMD5sumSuperseded By Advisory
Oracle Linux 7 (x86_64) kubeadm-ha-setup-0.0.2-1.0.69.el7.src.rpmcba4bd49c0186b7648dd04afa404ad9cELSA-2020-5825
kubeadm-upgrade-0.0.1-1.0.28.el7.src.rpmcb6fde7d9629a213ac1eba41f57257b4-
kubernetes-1.12.10-1.0.11.el7.src.rpm57c9b09aac238b8912326fa015e63cd2ELBA-2021-9240
kubeadm-1.12.10-1.0.11.el7.x86_64.rpm33810e20a0159bfe5cfe97c1301da8a9ELBA-2021-9240
kubeadm-ha-setup-0.0.2-1.0.69.el7.x86_64.rpme84aa1d67ace500c0301d17462f56904ELSA-2020-5825
kubeadm-upgrade-0.0.1-1.0.28.el7.x86_64.rpm4d3a768ae4d31b26816d44ca3206c99d-
kubectl-1.12.10-1.0.11.el7.x86_64.rpm4a891041f3cb2306a7e153ef19609779ELBA-2021-9240
kubelet-1.12.10-1.0.11.el7.x86_64.rpm89c5b38174ac4a2ba1b9ef30c097c0a4ELBA-2021-9240



This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team

software.hardware.complete