New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security] CVE-2019-19794 #3547
Comments
should we make some more noise on this? Release is ready. |
I think we can post a blog on coredns.io? |
I'll do that later today
…On Thu, 19 Dec 2019, 16:37 Yong Tang, ***@***.***> wrote:
I think we can post a blog on coredns.io?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#3547?email_source=notifications&email_token=AACWIW4Z5NPDVTT6ZUNFBF3QZOPLPA5CNFSM4J3RE6J2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEHKFYNQ#issuecomment-567565366>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AACWIWY74VAEG5LS5FV3HJDQZOPLPANCNFSM4J3RE6JQ>
.
|
Does CVE-2019-19794 impact Kubernetes usage of CoreDNS assuming configurations such as https://github.com/kubernetes/kubernetes/blob/v1.17.0/cluster/addons/dns/coredns/coredns.yaml.base or https://raw.githubusercontent.com/coredns/deployment/5a861f8a6fa192ac9dbda1856bff95b9d6721389/kubernetes/coredns.yaml.sed? |
IIUC, it could be exploited by someone with access to read and spoof packets into the Pod network (the network traffic between pods and coredns). |
This is planned to be fixed in Kubernetes in the next patch release. You can update to the latest CoreDNS (v1.6.6) manually, if you control the Cluster or wait for the Kubernetes patch release to hit. |
release it out; closing |
@stp-ip Is it possible then to mitigate this security vulnerability by disabling the cache via removing the |
The cache poisoning isn't within the CoreDNS cache in the usual Kubernetes setup afaik. To answer the specific question. Disabling the cache plugin shouldn't prevent this issue from happening afaik. If you control the deployment upgrade to 1.6.6 manually or wait for the next K8s patch release. |
This is a public announcement of a security vulnerability discovered in earlier versions of CoreDNS before v1.6.6:
https://nvd.nist.gov/vuln/detail/CVE-2019-19794
As was mentioned in CVE-2019-19794, one of the upstream library miekg/dns used Golang's
math/rand
. This causes predictable TXID and may allow cache poisoning (See miekg/dns#1043 for details).CoreDNS was impacted by this upstream vulnerability.
The latest release of CoreDNS v1.6.6 fixes this issue. We encourage all CoreDNS users to update to v1.6.6+ as soon as possible.
The issue was discovered by @FiloSottile, we very much appreciate his contributions! 👍
This issue will keep open for a couple of weeks or so, so that it is visible to public.
The text was updated successfully, but these errors were encountered: