Report Submission Form
“CVE-2019-11250: TOB-K8S-001: Bearer tokens are revealed in logs” remains in effect.
Effects at least all versions since 1.4.
git
archaeology. This was determined by following the code snippet from it’s current location in kubernetes/staging/src/k8s.io/client-go/transport/round_trippers.go
I’m not sure.
curl -k -v -X<> -H "Authorization: <token>" <...>
I was having trouble getting a cluster spun up, so I have not managed a live reproduction.
[Issue #81146: Kubernetes 3rd Party Security Audit Findings]
(https://github.com/kubernetes/kubernetes/issues/81146)
[Issue #81114: CVE-2019-11250: TOB-K8S-001: Bearer tokens are revealed in logs]
(https://github.com/kubernetes/kubernetes/issues/81114)
[Partial fix for #81114: PR #81330]
(https://github.com/kubernetes/kubernetes/pull/81330).
Note that only debuggingRoundTripper.RoundTrip
only masks headers in the if rt.levels[debugRequestHeaders]
block, exposure is also present in the
if rt.levels[debugCurlCommand] {klog.Infof("%s", reqInfo.toCurl())}
preceding it.
At kubernetes/staging/src/k8s.io/client-go/transport/round_trippers.go:416
:
func (rt *debuggingRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
reqInfo := newRequestInfo(req)
if rt.levels[debugJustURL] {
klog.Infof("%s %s", reqInfo.RequestVerb, reqInfo.RequestURL)
}
if rt.levels[debugCurlCommand] {
klog.Infof("%s", reqInfo.toCurl())
}
if rt.levels[debugRequestHeaders] {
klog.Infof("Request Headers:")
for key, values := range reqInfo.RequestHeaders {
for _, value := range values {
value = maskValue(key, value)
klog.Infof(" %s: %s", key, value)
}
}
}
// <function continues>
}
At kubernetes/staging/src/k8s.io/client-go/transport/round_trippers.go:338
:
// toCurl returns a string that can be run as a command in a terminal (minus the body)
func (r *requestInfo) toCurl() string {
headers := ""
for key, values := range r.RequestHeaders {
for _, value := range values {
headers += fmt.Sprintf(` -H %q`, fmt.Sprintf("%s: %s", key, value))
}
}
return fmt.Sprintf("curl -k -v -X%s %s '%s'", r.RequestVerb, headers, r.RequestURL)
}
Correction will be a one-line diff to use maskValue
in this loop as well.
> Alice logs into a Kubernetes cluster and is issued a Bearer token. The system logs her
token. Eve, who has access to the logs but not the production Kubernetes cluster, replays
Alice’s Bearer token, and can masquerade as Alice to the cluster.