The Kubernetes project fixed a dangerous security flaw with a patch. The error could allow hacks where attackers run code on the host machine. The error has no impact on the Kubernetes system itself, but on kubectl (Kube Control). This is the official command-line facility for working with Kubernetes installations.

Security researchers discovered a security flaw in the cubic cp (copy) operation, which is used to move files from containers to a user’s host machine, writes ZDNet. To make this possible, Kubernetes turns ‘tar’ inside the container to set up a tar archive. This is then copied over the network and cubectl extracts it from the user’s machine.

However, if the tar binary in the container turns out to be malicious, it can run all kinds of code and issue unexpected, malicious results. An attacker can use it to write files to any path on the user’s machine when cubectl cp is called. The attacker is then only limited by the permissions a user has on the system.

The misuse of the error is not easy. Here, an attacker must first place a rogue file inside a Kubernetes container, and then wait for a Kubernetes admin to move files to its system. The malicious files will be executed automatically. But a successful attack is therefore linked to happiness and social engineering.


The vulnerability, CVE-2019-11246, is quite similar to CVE-2019-1002101. The new vulnerability stems from incomplete solutions for CVE-2019-10021. That vulnerability was solved in March. However, the original solution was incomplete and a new exploit method was discovered.

Companies and developers running their own Kubernetes plants are advised to upgrade kubectl and Kubernetes to versions 1.12.9, 1.13.6 or 1.14.2 or later. Google Cloud has announced that all versions of Google Kubernetes Engine gcloud are also affected by the vulnerability. That company recommends upgrading to the latest patch version of gcloud if available.

This news article was automatically translated from Dutch to give a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.