Kubernetes were patched to fix the privilege escalation vulnerability

Recently, Kubernetes was found to have a serious security vulnerability. This vulnerability mark as CVE-2018-1002105. A malicious user can use the Kubernetes API server to connect to the backend server to send arbitrary requests and authenticate with the TLS credentials of the API server. The seriousness of this vulnerability is that it can be executed remotely, the attack is not complicated, and no user interaction or special permissions are required.

Kubernetes

Affected components:

  • Kubernetes API server

Affected versions:

  • Kubernetes v1.0.x-1.9.x
  • Kubernetes v1.10.0-1.10.10 (fixed in v1.10.11)
  • Kubernetes v1.11.0-1.11.4 (fixed in v1.11.5)
  • Kubernetes v1.12.0-1.12.2 (fixed in v1.12.3)

The worst thing is that there is no easy way for the user to detect if this vulnerability has been used. Since unauthorized requests are made through established connections, they do not appear in the Kubernetes API server audit log or server log. The request does appear in the kubelet or aggregated API server logs, but it is not distinguishable from requests that are properly authorized and proxied by the Kubernetes API server.

Kubernetes has now released patched versions v1.10.11, v1.11.5, v1.12.3, and v1.13.0-rc.1. If you are still using Kubernetes v1.0.x to Kubernetes v1.9.x, stop using it and upgrade to the patched version.