. home.aspx

NEWS

home.aspx
   


Researchers Find First Major Kubernetes Flaw

December 04, 2018 / Kacy Zurkus

Security researchers have patched a critical security flaw in popular container orchestration tool Kubernetes which could allow third parties to remotely control targeted systems. Organizations running previous versions were urgently requested to upgrade to Kubernetes v1.10.11, v1.11.5, and v1.12.3. The issue will also be addressed in the upcoming v1.13.0 release, according to Google staff software engineer, Jordan Liggitt. “This vulnerability allows specially crafted requests to establish a connection through the Kubernetes API server to backend servers (such as aggregated API servers and kubelets), then send arbitrary requests over the same connection directly to the backend, authenticated with the Kubernetes API server’s TLS credentials used to establish the backend connection,” he explained. CVE-2018-1002105 is a privilege escalation flaw allowing an attacker to gain full admin privileges on any computer node run in a Kubernetes cluster. As such, it’s been g...