# HTTP/2 Vulnerability Update Guide ## Go Language HTTP/2 Vulnerability - Release time: August 13, 2019 - Update time: August 26, 2019 - Vulnerability level: Important - CVE Number: CVE-2019-9512 CVE-2019-9514 ## Vulnerability Details Netflix, Google, and CERT/CC recently disclosed eight security vulnerabilities related to HTTP/2. Among these, the Go language's net/http library has two critical vulnerabilities: CVE-2019-9512 and CVE-2019-9514. These vulnerabilities can disrupt any program based on HTTP or HTTPS listeners, affecting all Kubernetes versions and components. To address these vulnerabilities, Go has released versions Go1.12.9 and Go1.11.13. Consequently, Kubernetes has released versions v1.15.3, v1.14.6, and v1.13.10 based on these patches. It is strongly recommended that Kubernetes users upgrade to the latest version as soon as possible. [Official Reference Document](https://groups.google.com/forum/#!topic/kubernetes-security-announce/wlhlhit1bqa) ## Impact Scope The K8S version of clusters created before 18:00 on August 28, 2019 is lower than the version number of the officially released fixed version. Clusters created after 18:00 on August 28, 2019, have resolved this vulnerability and have passed test. ## Remediation Plan UK8S has made k8s v1.13.10 and v1.14.6 upgrade packages according to the patch release version provided by the official. v1.13.10 download link: http://uk8s.cn-bj.ufileos.com/1.13.10/k8s.tgz v1.14.6 download link: http://uk8s.cn-bj.ufileos.com/1.14.6/k8s.tgz 1. Download the installation package to the server using the command ``` wget http://uk8s.cn-bj.ufileos.com/1.13.10/k8s.tgz ``` If you are using v1.14.5, replace the download link with the v1.14.6 link. 2. Unzip the downloaded installation package ``` tar zxvf k8s.tgz ``` 3. Execute the update script Execute on master ``` chmod +x 1.13.10/uk8supgrade.sh sh 1.13.10/uk8supgrade.sh master ``` Execute on node ``` chmod +x 1.13.10/uk8supgrade.sh sh 1.13.10/uk8supgrade.sh node ``` If you are using v1.14.5, change the execution path to that of v1.14.6. ## Points to Note 1. The upgrade operation must be executed on all master and worker nodes of the cluster. The upgrade of subsequent nodes should be performed after one master node is successfully upgraded. The system service can be verified as healthy using **kubectl get cs**. Proceed to upgrade the second machine only after the first one is healthy. 2. If the cluster is for internal use or has no external network gateway, you can open a virtual machine with an external IP inside the cluster, copy to each node through scp, and then change the node to perform the update operation. 3. Updating a node takes about 2 minutes. Please be patient. 4. If any errors occur during the upgrade process, please contact us immediately for assistance ## Bulk Installation Method > The bulk operation method requires that the node use the same password. If the passwords are different, it is recommended to use manual deployment. > The master node must be updated before proceeding to the second machine, so this batch update document is not applicable. 1. Install the pssh tool ``` yum install pssh -y ``` 2. Create a node list file ``` vim hosts.txt ``` The format is user@ip, for example: ``` root@10.10.10.10 root@10.10.10.11 root@10.10.10.12 root@10.10.10.13 ``` 3. Execute ``` pscp.pssh -Ah hosts.txt k8s.tgz /root/ pssh -Ah hosts.txt -x '-o StrictHostKeyChecking=no' -i 'sudo tar zxvf k8s.tgz' pssh -Ah hosts.txt -x '-o StrictHostKeyChecking=no' -i 'sudo chmod +x 1.13.10/uk8supgrade.sh' pssh -Ah hosts.txt -t 0 -x '-o StrictHostKeyChecking=no' -i 'sudo sh 1.13.10/uk8supgrade.sh node' ``` If you are using v1.14.5, please update the relevant paths to those of v1.14.6.