News

Upgrades Recommended To Address Critical Kubernetes Flaws

• By Kurt Mackie
• 12/05/2018

Kubernetes deployments have "Critical" flaws that could permit information disclosures, according to a Kubernetes announcement.

The flaws go by the Common Vulnerabilities and Exposures (CVE) name of CVE-2018-1002105, although the CVE entry may not be published yet. The issue is rated 9.8 (out of 10) in severity, according to the Common Vulnerability Scoring System.

The flaws are associated with privilege "abuse," but there's also a problem with being able to exploit calls to Kubernetes API servers. Default Kubernetes configurations permit "all users (authenticated and unauthenticated)" to make such API server calls, according to the announcement, so it's a wide-open issue. Attacks can get initiated by a "specially crafted request" sent to the back end server, according to the Kubernetes announcement, which omitted the details. 

Kubernetes is an open source container orchestration solution for clusters that was initially fostered by Google, but it's now overseen by the Cloud Native Computing Foundation. Google hosts Kubernetes services and Microsoft also offers its Azure Kubernetes Service (AKS). Organization may also host Kubernetes in their own datacenters, and could use container-based application platforms to do so, such as Red Hat's OpenShift.

Red Hat issued a notice, which has a bit more information in it about the flaws. The flaws enable "privilege escalation and access to sensitive information in OpenShift products and services," according to Red Hat. In a particular, the flaw permits access to "all secrets, pods, environment variables" for organizations using OpenShift 3.x versions. The flaw can be exploited by users with normal user privileges if they abuse "pod exec, attach or portforward privileges." It also can be exploited by any user via the API Extensions feature in "OpenShift Container Platform 3.6 and later" versions. In response, Red Hat this week released updates to its various OpenShift Container Platform products.

Google issued its announcement about the flaws, saying that they allow "a user with relatively low privileges to bypass authorization to the kubelet's APIs." The flaws give attackers the "ability to execute arbitrary operations for any Pod on any node in the cluster." Google has already patched its Google Kubernetes Engine software, and no action is required for organizations using its services.

Microsoft noted on Monday that it patched all affected clusters in its AKS. For organizations that have deployed AKS, Microsoft released version 1.11.5, which is an upgrade that addresses the flaws.

The announcement by Kubernetes offered the following list of affected versions, plus the fixed ones:

• Kubernetes v1.0.x-1.9.x
• Kubernetes v1.10.0-1.10.10 (fixed in v1.10.11)
• Kubernetes v1.11.0-1.11.4 (fixed in v1.11.5)
• Kubernetes v1.12.0-1.12.2 (fixed in v1.12.3)

However, organizations using "binaries or packages provided by a distributor" should contact the distributor to address the issue, the Kubernetes announcement added. While some mitigation steps were listed in the announcement, Kubernetes described them as being "disruptive" to use, and recommended performing a Kubernetes software upgrade instead.

One problem with these critical flaws in Kubernetes is that organizations cannot determine if they've been exploited. "Because the unauthorized requests are made over an established connection, they do not appear in the Kubernetes API server audit logs or server log," the Kubernetes announcement explained.