Yesterday, a critical security flaw impacting Kubernetes 1.10 and higher was discovered. The flaw, CVE-2018-1002105, was publicly disclosed by the Kubernetes community and reported through the Kubernetes vulnerability reporting process.
According to Red Hat, the flaw could allow malicious actors or unapproved users to escalate privileges on Kubernetes installations, including the company’s own container solution Red Hat OpenShift. According to Red Hat’s product security rates, this vulnerability is rated as critical because of the ease of exploitation and potential impact on operations.
“By exploiting this flaw, a malicious user with Pod exec/attach/portforward privileges escalates their privilege to cluster-admin, and any API call to a compute node Kubelet API can be achieved. This means that the user can access any container running on the same node as their pod, allowing them access to sensitive workloads, data and even production applications,” Red Hat explained in an email to SD Times. “Using the second exploit method, an unauthenticated user can exploit the API extension feature used by metrics and service catalog in Kubernetes. This actor can then gain cluster-admin privileges to the service broker which allows the creation of brokered services in any namespace and on any node. Effectively, exploiting the flaw in this manner allows for the creation of new services that are not approved, potentially allowing for the injection of malicious code.”
Red Hat has worked with the Kubernetes community to address this flaw, and Kubernetes 1.10.11, 1.11.5 and 1.12.3 have been released. The issue was also addressed in the solution’s latest release, 1.13.
Red Hat and the Kubernetes community recommends customers that are using any of the impacted versions immediately apply the appropriate patches.
“The de facto standard in container orchestration, Kubernetes is often looked to by organizations as a key component of digital transformation. Vulnerabilities like the escalation privilege flaw can potentially delay or entirely derail these strategies, highlighting the need to work with an established partner in building and maintaining a more secure Kubernetes footprint,” Tracy Rankin, senior director of OphenShift Engineering at Red Hat, said in a statement. “Red Hat is proud to have worked closely with the Kubernetes community in assessing and ultimately fixing this flaw.”
More information about the flaw is available here.