Service Provider Cloud

Kubernetes Security Flaw Is a 'Really Big Deal' – Patch Now

A critical vulnerability in Kubernetes allows attackers to take over any vulnerable node using a specially crafted request.

Users need to upgrade to the latest Kubernetes version right away -- which is going to be painful to network operators who need to evaluate new software versions first before deploying them into production.

CVE-2018-1002105 allows uses to send a "specially crafted request" through a Kubernetes API server to a backend server, authenticated using the Kubernetes API server's own TLS (transport layer security) credentials, according to a report on GitHub by Jordan Liggitt, part of the Kubernetes security team.

"That's geekspeak for making it a zombie sock-puppet," writes tech journalist Larry Loeb at our sister site, Security Now. (See Kubernetes Vulnerability Can Turn Containers Into Zombies.)

The vulnerability was discovered by Darren Shepherd, co-founder at Rancher Labs. It has been assigned a CVSS score of 9.8 out of 10 and is considered critical.

Kubernetes has a bug. It is not as cute as this one.
Kubernetes has a bug. It is not as cute as this one.

"This is a big deal," writes Ashesh Badani, Red Hat VP and general manager of the cloud platforms business unit on the Red Hat Blog. Not only can this actor steal sensitive data or inject malicious code, but they can also bring down production applications and services from within an organization's firewall.

Organizations using a commercial Kubernetes distribution should contact their vendor to be sure they're protected, while operators using upstream Kubernetes need to manage upgrades themselves, Liggitt notes.

Related posts:

— Mitch Wagner Follow me on Twitter Visit my LinkedIn profile Visit me on Tumblr Follow me on Facebook Executive Editor, Light Reading

Sign In