Docs
uk8s
Vulnerability Tracking
CVE-2019-9512-9514

HTTP/2 Vulnerability Update Guide

Go Language HTTP/2 Vulnerability

  • Release time: August 13, 2019
  • Update time: August 26, 2019
  • Vulnerability level: Important
  • CVE Number: CVE-2019-9512 CVE-2019-9514

Vulnerability Details

Netflix, Google, and CERT/CC recently disclosed eight security vulnerabilities related to HTTP/2. Among these, the Go language’s net/http library has two critical vulnerabilities: CVE-2019-9512 and CVE-2019-9514. These vulnerabilities can disrupt any program based on HTTP or HTTPS listeners, affecting all Kubernetes versions and components.

To address these vulnerabilities, Go has released versions Go1.12.9 and Go1.11.13. Consequently, Kubernetes has released versions v1.15.3, v1.14.6, and v1.13.10 based on these patches. It is strongly recommended that Kubernetes users upgrade to the latest version as soon as possible.

Official Reference Document

Impact Scope

This group of clusters is running Kubernetes versions lower than those officially announced as fixed.

Clusters created after 18:00 on August 28, 2019, have resolved this vulnerability and have passed test.

Remediation Plan

UK8S has made k8s v1.13.10 and v1.14.6 upgrade packages according to the patch release version provided by the official.

v1.13.10 download link: http://uk8s.cn-bj.ufileos.com/1.13.10/k8s.tgz

v1.14.6 download link: http://uk8s.cn-bj.ufileos.com/1.14.6/k8s.tgz

  1. Download the installation package to the server using the command
wget http://uk8s.cn-bj.ufileos.com/1.13.10/k8s.tgz

If you are using v1.14.5, replace the download link with the v1.14.6 link.

  1. Unzip the downloaded installation package
tar zxvf k8s.tgz
  1. Execute the update script

Execute on master

chmod +x 1.13.10/uk8supgrade.sh
sh 1.13.10/uk8supgrade.sh master

Execute on node

chmod +x 1.13.10/uk8supgrade.sh
sh 1.13.10/uk8supgrade.sh node

If you are using v1.14.5, change the execution path to that of v1.14.6.

Points to Note

  1. The upgrade operation must be executed on all master and worker nodes of the cluster. The upgrade of subsequent nodes should be performed after one master node is successfully upgraded. The system service can be verified as healthy using kubectl get cs. Proceed to upgrade the second machine only after the first one is healthy.

  2. If the cluster is for internal use or has no external network gateway, you can open a virtual machine with an external IP inside the cluster, copy to each node through scp, and then change the node to perform the update operation.

  3. Updating a node takes about 2 minutes. Please be patient.

  4. If any errors occur during the upgrade process, please contact us immediately for assistance

Bulk Installation Method

The bulk operation method requires that the node use the same password. If the passwords are different, it is recommended to use manual deployment.

The master node must be updated before proceeding to the second machine, so this batch update document is not applicable.

  1. Install the pssh tool
yum install pssh -y
  1. Create a node node list file
vim hosts.txt

The format is user@ip, for example:

root@10.10.10.10
root@10.10.10.11
root@10.10.10.12
root@10.10.10.13
  1. Execute
pscp.pssh -Ah hosts.txt k8s.tgz /root/
pssh -Ah hosts.txt -x '-o StrictHostKeyChecking=no' -i 'sudo tar zxvf k8s.tgz'
pssh -Ah hosts.txt -x '-o StrictHostKeyChecking=no' -i 'sudo chmod +x 1.13.10/uk8supgrade.sh'
pssh -Ah hosts.txt -t 0 -x '-o StrictHostKeyChecking=no' -i 'sudo sh 1.13.10/uk8supgrade.sh node'

If you are using v1.14.5, please update the relevant paths to those of v1.14.6.

CVE-2019-5736CVE-2021-30465