A critical vulnerability in Kubernetes allows attackers to take over any vulnerable node using a specially crafted request.
Users need to upgrade to the latest Kubernetes version right away -- which is going to be painful to network operators who need to evaluate new software versions first before deploying them into production.
CVE-2018-1002105 allows uses to send a "specially crafted request" through a Kubernetes API server to a backend server, authenticated using the Kubernetes API server's own TLS (transport layer security) credentials, according to a report on GitHub by Jordan Liggitt, part of the Kubernetes security team.
"That's geekspeak for making it a zombie sock-puppet," writes tech journalist Larry Loeb at our sister site, Security Now. (See Kubernetes Vulnerability Can Turn Containers Into Zombies.)
The vulnerability was discovered by Darren Shepherd, co-founder at Rancher Labs. It has been assigned a CVSS score of 9.8 out of 10 and is considered critical.
"This is a big deal," writes Ashesh Badani, Red Hat VP and general manager of the cloud platforms business unit on the Red Hat Blog. Not only can this actor steal sensitive data or inject malicious code, but they can also bring down production applications and services from within an organization's firewall.
Organizations using a commercial Kubernetes distribution should contact their vendor to be sure they're protected, while operators using upstream Kubernetes need to manage upgrades themselves, Liggitt notes.
- Cisco's Security GM: Managed Security Services Are a Big Telco Opportunity
- VMware Swings to Kubernetes
- Automation Makes Network Security a Much Bigger Priority
— Mitch Wagner Executive Editor, Light Reading