Two security vulnerabilities were discovered in Rancher server versions v2.0.0 - v2.0.10 and v2.1.0 - v2.1.5. The first vulnerability allows users in the Default project of a cluster to escalate privileges to that of a cluster admin through a service account. The second vulnerability allows members to have continued access to create, update, read, and delete namespaces in a project after they have been removed from it. You can view the official CVEs here CVE-2018-20321 and here CVE-2019-6287.
For a more detailed explanation of the CVEs and how we’ve addressed them, you can read our blog article.
For those on v2.1.x, the following versions are now latest and stable :
|Type||Rancher Version||Docker Tag||Helm Repo||Helm Chart Version|
For those on Rancher v2.0.x, you can upgrade to Rancher v2.1.6 or Rancher v2.0.11.
We are taking all necessary steps to prevent a similar incident from happening in the future. We do apologize for any inconvenience this may have caused. If you have any further questions or concerns, please email us at firstname.lastname@example.org.