aws/eks-anywhere v0.19.11

on GitHub

v0.19.11

Supported OS version details

Must read before upgrade

• On October 11, 2024, a security issue CVE-2024-9594 was discovered in the Kubernetes Image Builder where default credentials are enabled during the image build process when using the Nutanix, OVA, QEMU or raw providers. The credentials can be used to gain root access. The credentials are disabled at the conclusion of the image build process. Kubernetes clusters are only affected if their nodes use VM images created via the Image Builder project. Clusters using virtual machine images built with Kubernetes Image Builder version v0.1.37 or earlier are affected if built with the Nutanix, OVA, QEMU or raw providers. These images built using previous versions of image-builder will be vulnerable only during the image build process, if an attacker was able to reach the VM where the image build was happening, login using these default credentials and modify the image at the time the image build was occurring. This CVE has been fixed in image-builder versions >= v0.1.38, which has been included in EKS Anywhere release v0.19.11.
  • CVE-2024-9594: VM images built with Image Builder with some providers use default credentials during builds

Changed

• EKS Distro:
  • v1-27-eks-38 to v1-27-eks-40
  • v1-28-eks-31 to v1-28-eks-34
  • v1-29-eks-20 to v1-29-eks-23
• Image-builder: v0.1.36 to v0.1.39 (CVE-2024-9594)
• containerd: v1.7.22 to v1.7.23
• Cilium: v1.13.19 to v1.13.20
• etcdadm-controller: v1.0.23 to v1.0.24
• etcdadm-bootstrap-provider: v1.0.13 to v1.0.14
• local-path-provisioner: v0.0.29 to v0.0.30
• runc: v1.1.14 to v1.1.15

Fixed

• Skip hardware validation logic for InPlace upgrades. #8779
• Status reconciliation of etcdadm cluster in etcdadm-controller when etcd-machines are unhealthy. #63
• Skip generating AWS IAM Kubeconfig on cluster upgrade. #8851