BoxBoat Blog

Service updates, customer stories, and tips and tricks for effective DevOps

x ?

Get Hands-On Experience with BoxBoat's Cloud Native Academy

Kubernetes Vulnerability - CVE-2018-1002105

by Mike 'MJ' JohnsonCole Kennedy | Tuesday, Dec 4, 2018 | News

featured.jpg

With the popularity of Kubernetes, there is always potential for security vulnerabilities to be uncovered. And well, this one is a doozy.

What is it?

The Kubernetes team just released a fix for CVE-2018-1002105 which allowed for anyone with API access (privileged or not) to use a specifically crafted request to obtain privilege escalation and take control of your Kubernetes cluster. Ouch.

From the CVE:

“With a specially crafted request, users that are authorized to establish a connection through the Kubernetes API server to a backend server can then send arbitrary requests over the same connection directly to that backend, authenticated with the Kubernetes API server’s TLS credentials used to establish the backend connection.”

Full details here: github.com/kubernetes/kubernetes/issues/71411

Who is affected?

So, the big question, are you affected? Well, if you are running Kubernetes, then, yes.

Affected versions:

  • Kubernetes v1.0.x-1.9.x
  • Kubernetes v1.10.0-1.10.10 (fixed in v1.10.11)
  • Kubernetes v1.11.0-1.11.4 (fixed in v1.11.5)
  • Kubernetes v1.12.0-1.12.2 (fixed in v1.12.3)

What do I need to do?

This one is pretty straightforward. UPGRADE and ensure your KubeAPI server is secured behind your company firewall. There is no other way to remediate the issue at this time. For information on upgrading, check here: Upgrading Kubernetes. If you are uncomfortable with upgrading yourself, BoxBoat can help. Call us at 202.420.9736.

As a general security step, you should always make sure that your Kubernetes cluster is properly secured, particularly the kube-api server. By default, this is available on port 6443, but may have been deployed using a custom port. Never expose the Kubernetes API server to the public publicly, and ensure you understand who has network access inside your organization.

If you are running Kubernetes-as-a-Service on Google, Azure, Openshift, etc, be sure to check with your service provider if the patch has been applied. For Docker EE customers, a patch is expected this week (possibly even today 12/4/18) for the EE Kubernetes integration.

Good luck and happy sailing.

The Boxboat Team

Get Notified of Blog Updates!

Join our mailing list to receive the latest news and updates from our team.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Recent Posts

Blogs

Integrating GitHub Advanced Security with Splunk

BoxBoat Announces Strategic Partnership with Chainguard to Secure Software Supply Chains

Secure Kubernetes Microservices Communication with Istio and OPA

The Grype Admission Controller

Categories

Docker

Kubernetes

Security

News

Education

Devsecops

Boxboat

Rancher

Gitlab

Open source

Tags

Docker Kubernetes Containers Cloud Devops Docker 1.12 Docker swarm Swarm Automation Azure Docker datacenter Jenkins Cicd Monitoring Volumes Aks
services app modernization container platforms devops strategy training rancher docker aks
customers testimonials case studies
company contracts resources tech stack team careers privacy policy
contact

© BoxBoat Technologies, LLC. All Rights Reserved.