Kubernetes Security Flaw Is a 'Really Big Deal' – Patch Now

Mitch Wagner

A critical vulnerability in Kubernetes allows attackers to take over any vulnerable node using a specially crafted request.

Users need to upgrade to the latest Kubernetes version right away -- which is going to be painful to network operators who need to evaluate new software versions first before deploying them into production.

CVE-2018-1002105 allows uses to send a "specially crafted request" through a Kubernetes API server to a backend server, authenticated using the Kubernetes API server's own TLS (transport layer security) credentials, according to a report on GitHub by Jordan Liggitt, part of the Kubernetes security team.

"That's geekspeak for making it a zombie sock-puppet," writes tech journalist Larry Loeb at our sister site, Security Now. (See Kubernetes Vulnerability Can Turn Containers Into Zombies.)

The vulnerability was discovered by Darren Shepherd, co-founder at Rancher Labs. It has been assigned a CVSS score of 9.8 out of 10 and is considered critical.

Kubernetes has a bug. It is not as cute as this one.
Kubernetes has a bug. It is not as cute as this one.

"This is a big deal," writes Ashesh Badani, Red Hat VP and general manager of the cloud platforms business unit on the Red Hat Blog. Not only can this actor steal sensitive data or inject malicious code, but they can also bring down production applications and services from within an organization's firewall.

Organizations using a commercial Kubernetes distribution should contact their vendor to be sure they're protected, while operators using upstream Kubernetes need to manage upgrades themselves, Liggitt notes.

Related posts:

— Mitch Wagner Follow me on Twitter Visit my LinkedIn profile Visit me on Tumblr Follow me on Facebook Executive Editor, Light Reading

(0)  | 
Comment  | 
Print  | 
Newest First  |  Oldest First  |  Threaded View        ADD A COMMENT
Featured Video
Upcoming Live Events
October 22, 2019, Los Angeles, CA
November 5, 2019, London, England
November 7, 2019, London, UK
November 14, 2019, Maritim Hotel, Berlin
December 3-5, 2019, Vienna, Austria
December 3, 2019, New York, New York
March 16-18, 2020, Embassy Suites, Denver, Colorado
May 18-20, 2020, Irving Convention Center, Dallas, TX
All Upcoming Live Events