AWS-2019-007

Last Updated: August 15, 2019 9:00AM PDT CVE Identifier: CVE-2019-11249 AWS is aware of a security issue ( CVE-2019-11249 ) which resolves incomplete fixes for CVE-2019-1002101 and CVE-2019-11246. Like the aforementioned CVEs, the issue is in the Kubernetes kubectl tool that could allow a malicious container to replace or create files on a user's workstation. If a user were to run an untrusted container containing a malicious version of the tar command and execute the kubectl cp operation, the kubectl binary unpacking the tar file could overwrite or create files on a user's workstation. AWS customers should refrain from using untrusted containers. If customers use an untrusted container and use the kubectl tool to manage their Kubernetes clusters, they should refrain from running the kubectl cp command using the affected versions and update to the latest kubectl version. Updating Kubectl Amazon Elastic Kubernetes Service (EKS) currently vends kubectl for customers to download from the EKS service S3 bucket. Download and install instructions can be found in the EKS Userguide . Customers can run the command "kubectl version --client" to discover which version they are using. For a li…