PT-2019-16709 · Cloud Foundry+2 · Cloud Foundry Container Runtime+2

Published

2019-03-08

Updated

2019-10-09

CVE-2019-3779

CVSS v3.1

8.8

High

Vector

AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Cloud Foundry Container Runtime versions prior to 0.29.0

Description The issue concerns the deployment of Kubernetes clusters where the same Certificate Authority (CA) is used to sign and trust certificates for ETCD as well as the Kubernetes API. This could potentially allow an authenticated user to exploit the Kubernetes Certificate Signing Request (CSR) capability to obtain a signed certificate, which could then be used to escalate privilege access to ETCD.

Recommendations For Cloud Foundry Container Runtime versions prior to 0.29.0, update to version 0.29.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the Kubernetes CSR capability to minimize the risk of exploitation.

Fix

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284CWE-264

Related Identifiers

CVE-2019-3779

Affected Products

Cloud Foundry Container Runtime

Etcd

Kubernetes

PT-2019-16709 · Cloud Foundry+2 · Cloud Foundry Container Runtime+2

CVE-2019-3779

Weakness Enumeration

Related Identifiers

Affected Products

References · 3