Two security vulnerabilities were discovered in Rancher server versions v2.0.0 - v2.0.10 and v2.1.0 - v2.1.5. The first vulnerability allows users in the Default project of a cluster to escalate privileges to that of a cluster admin through a service account. The second vulnerability allows members to have continued access to create, update, read, and delete namespaces in a project after they have been removed from it. You can view the official CVEs here CVE-2018-20321 and here CVE-2019-6287.
For a more detailed explanation of the CVEs and how we’ve addressed them, you can read our blog article.
For those on v2.1.x, the following versions are now latest and stable :
| Type | Rancher Version | Docker Tag | Helm Repo | Helm Chart Version |
|---|---|---|---|---|
| Latest | v2.1.6 | rancher/rancher:latest |
server-charts/latest | 2019.1.2 |
| Stable | v2.1.6 | rancher/rancher:stable |
server-charts/stable | 2019.1.2 |
For those on Rancher v2.0.x, you can upgrade to Rancher v2.1.6 or Rancher v2.0.11.
Please follow the usual upgrade steps to update your Rancher installations, but take note of the special instructions if you need to rollback.
We are taking all necessary steps to prevent a similar incident from happening in the future. We do apologize for any inconvenience this may have caused. If you have any further questions or concerns, please email us at security@rancher.com.