Featured Story
Intel and telcos left in virtual RAN limbo by rise of AI RAN
A multitude of general-purpose and specialist silicon options now confronts the world's 5G community, while Intel's future in telecom remains uncertain.
Attackers can take over any node running vulnerable Kubernetes version, turning it into a 'zombie sock puppet.'
A critical vulnerability in Kubernetes allows attackers to take over any vulnerable node using a specially crafted request.
Users need to upgrade to the latest Kubernetes version right away -- which is going to be painful to network operators who need to evaluate new software versions first before deploying them into production.
CVE-2018-1002105 allows uses to send a "specially crafted request" through a Kubernetes API server to a backend server, authenticated using the Kubernetes API server's own TLS (transport layer security) credentials, according to a report on GitHub by Jordan Liggitt, part of the Kubernetes security team.
"That's geekspeak for making it a zombie sock-puppet," writes tech journalist Larry Loeb at our sister site, Security Now. (See Kubernetes Vulnerability Can Turn Containers Into Zombies.)
The vulnerability was discovered by Darren Shepherd, co-founder at Rancher Labs. It has been assigned a CVSS score of 9.8 out of 10 and is considered critical.
Figure 1: Kubernetes has a bug. It is not as cute as this one.
"This is a big deal," writes Ashesh Badani, Red Hat VP and general manager of the cloud platforms business unit on the Red Hat Blog. Not only can this actor steal sensitive data or inject malicious code, but they can also bring down production applications and services from within an organization's firewall.
Organizations using a commercial Kubernetes distribution should contact their vendor to be sure they're protected, while operators using upstream Kubernetes need to manage upgrades themselves, Liggitt notes.
Related posts:
— Mitch Wagner
Executive Editor, Light Reading
You May Also Like