Not ready for Kubernetes 1.13 yet? At least patch your setup NOW

Three new patches for container orchestration software Kubernetes have been issued to fix a critical security flaw which could let attackers steal data or inject code with comparative ease.

According to Kubernetes Product Security Team member Jordan Liggitt, the vulnerability CVE-2018-1002105 concerns the Kubernetes API Server, the project’s main management element. If not patched, the flaw can be used to establish connections to backend servers and send them requests authenticated with the Kubernetes API server’s TLS credentials.

This means attackers could gain full admin privileges on any compute node in a Kubernetes cluster. The issue can be fixed by upgrading either to newly available v1.13 or one of the patches (1.10.11, 1.11.5, and 1.12.3).

Since the complexity of the attack is rather low and an execution requires neither privileges nor user interaction, the flaw has been labeled as critical (9.8 out of 10) and applying one of the patches can therefore only be strongly advised. Kubernetes-based services and products are affected as well. Red Hat for example has already started delivering fixes and pushing updates to its various OpenShift offerings.

According to the GitHub issue set up for the problem there is “no simple way to detect whether this vulnerability has been used. Because the unauthorized requests are made over an established connection, they do not appear in the Kubernetes API server audit logs or server log. The requests do appear in the kubelet or aggregated API server logs, but are indistinguishable from correctly authorized and proxied requests via the Kubernetes API server.”