Update now to protect against serious vulnerability
Patches have been released for a critical vulnerability in Kubernetes which could allow for privilege escalation.
The flaw, CVE-2018-1002105, allows a specially crafted network request to connect to backend servers by establishing a connection with the Kubernetes Application Programming Interface (API) server.
An actor can then send arbitrary requests directly to the backend servers, which are authenticated with Kubernetes API server’s Transport Layer Security credentials.
Any system utilizing Kubernetes is potentially vulnerable to the security flaw, although precautions such as firewalling the API server may reduce exposure.
It was the first major security issue within the core of Kubernetes to have been reported, after it was discovered by security researcher Darren Shepherd.
Patches have already been released for v1.10.11, v1.11.5, v1.12.3, and v1.13.0-rc.1.
Users are urged to upgrade to protect themselves against the flaw. There are possible mitigations, though the Kubernetes team noted that these are likely to be disruptive.
The team also noted that there isn’t a simple way to detect whether the vulnerability is active.
A GitHub report read: “Because the unauthorized requests are made over an established connection, they do not appear in the Kubernetes API server audit logs or server log.
“The requests do appear in the kubelet or aggregated API server logs, but are indistinguishable from correctly authorized and proxied requests via the Kubernetes API server.”
