Security researchers have patched a critical security flaw in popular container orchestration tool Kubernetes which could allow third parties to remotely control targeted systems.
Organizations running previous versions were urgently requested to upgrade to Kubernetes v1.10.11, v1.11.5, and v1.12.3. The issue will also be addressed in the upcoming v1.13.0 release, according to Google staff software engineer, Jordan Liggitt.
“This vulnerability allows specially crafted requests to establish a connection through the Kubernetes API server to backend servers (such as aggregated API servers and kubelets), then send arbitrary requests over the same connection directly to the backend, authenticated with the Kubernetes API server’s TLS credentials used to establish the backend connection,” he explained.
CVE-2018-1002105 is a privilege escalation flaw allowing an attacker to gain full admin privileges on any computer node run in a Kubernetes cluster. As such, it’s been give a CVSS score of 9.8.
“This is a big deal,” warned Red Hat cloud platforms lead, Ashesh Badani. “Not only can this actor steal sensitive data or inject malicious code, but they can also bring down production applications and services from within an organization’s firewall.”
All the firm’s Kubernetes-based products are affected: Red Hat OpenShift Container Platform, Red Hat OpenShift Online and Red Hat OpenShift Dedicated.
However, Badani used the opportunity to promote enterprise-grade open source products, which he claimed offer greater contextualized support for organizations in these situations.
This is the first major bug discovered in the popular container orchestration platform, and is likely to be exploited in the wild given the growing popularity of microservices among DevOps teams.
According to one firm, 44% of companies plan to replace some of their virtual machines (VMs) with containers, while the vast majority (71%) said they’ve already deployed containers on a VM.