Major Security Flaw in Kubernetes Found

Major Security Flaw in Kubernetes Found


Possibly the first major security flaw is found in Kubernetes, one of the widely used container-orchestration systems for the Cloud environment.

Major Kubernetes vendors such as Red Hat, Google, Microsoft, and others cloud vendors relying on kubernetes are rushing fix the problem to protect their cloud customers.

Kubernetes is a set of open source container orchestration project.  It helps automate the deployment, scaling, and management of containerized applications in the cloud environment. It is one of the most popular cloud container orchestration system in the market as of now.

Darren Shepherd, who is chief architect and co-founder at Rancher Labs, reported the vulnerability on GitHub as "CVE-2018-1002105: proxy request handling in kube-apiserver can leave vulnerable TCP connections #71411"

Considering cloud market penetration of Kubernetes, it demands urgency in fixing this critical vulnerability CVE-2018-1002105 “privilege escalation” flaw.

Darren Shephard noted on GitHub , "With a specially crafted request, users that are authorized to establish a connection through the Kubernetes API server to a backend server can then send arbitrary requests over the same connection directly to that backend, authenticated with the Kubernetes API server’s TLS credentials used to establish the backend connection."

RedHat in their security update said, "A flaw has been detected in kubernetes which allows privilege escalation and access to sensitive information in OpenShift products and services.  This issue has been assigned CVE-2018-1002105 and has a security impact of Critical. All 3.x versions of OpenShift Container Platform allow for compromise of pods (multiple running container instances) running on a compute node to which a pod is scheduled with normal user privilege.  This access could include access to all secrets, pods, environment  variables, running pod/container processes, and persistent volumes."

RedHat has marked this vulnerability as resolved on their portal.

Google in their security bulletin said, "Kubernetes recently discovered a new security vulnerability CVE-2018-1002105, allowing a user with relatively low privileges to bypass authorization to the kubelet's APIs, giving the ability to execute arbitrary operations for any Pod on any node in the cluster. For further details, see the Kubernetes disclosure. All Google Kubernetes Engine (GKE) masters were affected by these vulnerabilities, and we have already upgraded clusters to the latest patch versions. No action is required."

Microsoft in their response said, "In preparation for this announcement, Azure Kubernetes Service has patched all affected clusters by overriding the default Kubernetes configuration to remove unauthenticated access to the entrypoints that exposed the vulnerability. The entrypoints were everything under https://myapiserver/apis/. If you were relying on this unauthenticated access to these endpoints from outside the cluster, you will need to switch to an authenticated path. If you want to upgrade to a Kubernetes release that contains the underlying fix, we have now made version 1.11.5 available. "

Kubernetes versions v1.10.11, v1.11.5, v1.12.3 and v1.13.0-rc.1 include required patches for the vulnerability. Users of Kubernetes v1.0.x-1.9.x must update to a respective patched version.

Refer to this article for more technical details about this vulnerability.

PC:pablo,unplash

Note: We at TechSutram take our ethics very seriously. More information about it can be found here.
Mandar Pise Opinions expressed by techsutram contributors are their own. More details

Mandar is a seasoned software professional for more than a decade. He is Cloud, AI, IoT, Blockchain and Fintech enthusiast. He writes to benefit others from his experiences. His overall goal is to help people learn about the Cloud, AI, IoT, Blockchain and Fintech and the effects they will have economically and socially in the future.

No comments:

Post a Comment

    Your valuable comments are welcome. (Moderated)