Attackers can take over any node running vulnerable Kubernetes version, turning it into a 'zombie sock puppet.'

Mitch Wagner, Executive Editor, Light Reading

December 5, 2018

2 Min Read
Kubernetes Security Flaw Is a 'Really Big Deal' – Patch Now

A critical vulnerability in Kubernetes allows attackers to take over any vulnerable node using a specially crafted request.

Users need to upgrade to the latest Kubernetes version right away -- which is going to be painful to network operators who need to evaluate new software versions first before deploying them into production.

CVE-2018-1002105 allows uses to send a "specially crafted request" through a Kubernetes API server to a backend server, authenticated using the Kubernetes API server's own TLS (transport layer security) credentials, according to a report on GitHub by Jordan Liggitt, part of the Kubernetes security team.

"That's geekspeak for making it a zombie sock-puppet," writes tech journalist Larry Loeb at our sister site, Security Now. (See Kubernetes Vulnerability Can Turn Containers Into Zombies.)

The vulnerability was discovered by Darren Shepherd, co-founder at Rancher Labs. It has been assigned a CVSS score of 9.8 out of 10 and is considered critical.

Figure 1: Kubernetes has a bug. It is not as cute as this one. Kubernetes has a bug. It is not as cute as this one.

"This is a big deal," writes Ashesh Badani, Red Hat VP and general manager of the cloud platforms business unit on the Red Hat Blog. Not only can this actor steal sensitive data or inject malicious code, but they can also bring down production applications and services from within an organization's firewall.

Organizations using a commercial Kubernetes distribution should contact their vendor to be sure they're protected, while operators using upstream Kubernetes need to manage upgrades themselves, Liggitt notes.

Related posts:

— Mitch Wagner Follow me on Twitter Visit my LinkedIn profile Visit me on Tumblr Follow me on Facebook Executive Editor, Light Reading

About the Author(s)

Mitch Wagner

Executive Editor, Light Reading

San Diego-based Mitch Wagner is many things. As well as being "our guy" on the West Coast (of the US, not Scotland, or anywhere else with indifferent meteorological conditions), he's a husband (to his wife), dissatisfied Democrat, American (so he could be President some day), nonobservant Jew, and science fiction fan. Not necessarily in that order.

He's also one half of a special duo, along with Minnie, who is the co-habitor of the West Coast Bureau and Light Reading's primary chewer of sticks, though she is not the only one on the team who regularly munches on bark.

Wagner, whose previous positions include Editor-in-Chief at Internet Evolution and Executive Editor at InformationWeek, will be responsible for tracking and reporting on developments in Silicon Valley and other US West Coast hotspots of communications technology innovation.

Beats: Software-defined networking (SDN), network functions virtualization (NFV), IP networking, and colored foods (such as 'green rice').

Subscribe and receive the latest news from the industry.
Join 62,000+ members. Yes it's completely free.

You May Also Like