Rancher Laba’s principal architect Darren Shepherd has discovered a vulnerability in the Kubernetes API Server. The vulnerability number is CVE-2018-1002105.
An attacker can claim access to back-end services on established API Server connections through forged requests. To make matters worse, there is no easy way to detect whether this vulnerability has been used. Because unauthorized requests are made over established connections, they do not appear in the Kubernetes API Server audit logs or Server logs. The only way to fix this vulnerability is to upgrade your Kubernetes as soon as possible.
Kubernetes has now released a new version to address the risks of this vulnerability. Jordan Liggitt, senior engineer at Google, Kubernetes Security team, recommends that enterprise users choose the corresponding version as soon as possible.
Cve-2018-1002105 Vulnerability affected version:
Kubernetes v1.0. X – 1.9 x
Kubernetes v1.10.0-1.10.10
Kubernetes v1.11.0-1.11.4
Kubernetes v1.12.0-1.12.2
Fix patch version:
Kubernetes v1.10.11
Kubernetes v1.11.5
Kubernetes v1.12.3
Kubernetes v1.13.0 – RC. 1
Affected configurations:
- Extended API Server is enabled in the cluster, and kube-Apiserver is directly connected to the network of extended API Server.
- The cluster opens up the POD Exec/Attach/PortForward interface, allowing an attacker to gain full kubelet API access.
More details:
https://github.com/kubernetes/kubernetes/issues/71411