Kubernetes Vulnerability - CVE-2018-1002105
With the popularity of Kubernetes, there is always potential for security vulnerabilities to be uncovered. And well, this one is a doozy.
What is it?
The Kubernetes team just released a fix for CVE-2018-1002105 which allowed for anyone with API access (privileged or not) to use a specifically crafted request to obtain privilege escalation and take control of your Kubernetes cluster. Ouch.
From the CVE:
“With a specially crafted request, users that are authorized to establish a connection through the Kubernetes API server to a backend server can then send arbitrary requests over the same connection directly to that backend, authenticated with the Kubernetes API server’s TLS credentials used to establish the backend connection.”
Full details here: github.com/kubernetes/kubernetes/issues/71411
Who is affected?
So, the big question, are you affected? Well, if you are running Kubernetes, then, yes.
- Kubernetes v1.0.x-1.9.x
- Kubernetes v1.10.0-1.10.10 (fixed in v1.10.11)
- Kubernetes v1.11.0-1.11.4 (fixed in v1.11.5)
- Kubernetes v1.12.0-1.12.2 (fixed in v1.12.3)
What do I need to do?
This one is pretty straightforward. UPGRADE and ensure your KubeAPI server is secured behind your company firewall. There is no other way to remediate the issue at this time. For information on upgrading, check here: Upgrading Kubernetes. If you are uncomfortable with upgrading yourself, BoxBoat can help. Call us at 202.420.9736.
As a general security step, you should always make sure that your Kubernetes cluster is properly secured, particularly the kube-api server. By default, this is available on port 6443, but may have been deployed using a custom port. Never expose the Kubernetes API server to the public publicly, and ensure you understand who has network access inside your organization.
If you are running Kubernetes-as-a-Service on Google, Azure, Openshift, etc, be sure to check with your service provider if the patch has been applied. For Docker EE customers, a patch is expected this week (possibly even today 12/4/18) for the EE Kubernetes integration.
Good luck and happy sailing.