Monday, December 10, 2018
  • GUEST ESSAY: ‘Tis the season — to take proactive measures to improve data governance
  • Cybersecurity Investment to Shoot Up in Financial Industry in 2019; Top Firms Already Spend $1 Billion
  • Major DNS Threats: Preventing DNS Hijacking and Leaks
  • Dark Patterns: Stealth Ways Companies Collect Personal Data
  • The Quora Data Breach, Facebook’s Private Emails, Google Location Tracking – WB46

Security Boulevard

The home of the Security Bloggers Network

Community Chats Webinars Library
  • Home
    • Cybersecurity News
    • Features
    • Industry Spotlight
  • Security Bloggers Network
    • Latest Posts
    • Contributors
    • Syndicate Your Blog
    • Write for Security Boulevard
  • Webinars
    • Upcoming
    • On-Demand
  • Chats
    • CISO Conversations
  • Library

  • Analytics
  • AppSec
  • CISO
  • Cloud
  • DevOps
  • GRC
  • Identity
  • Incident Response
  • IoT / ICS
  • Threats / Breaches
  • More
    • Blockchain / Digital Currencies
    • Careers
    • Cyberlaw
    • Mobile
    • Social Engineering
Cloud Security SBN News Security Bloggers Network 

Home » Cybersecurity » Cloud Security » Critical Vulnerability Uncovered In Kubernetes

Critical Vulnerability Uncovered In Kubernetes

by Ben Layer on December 4, 2018

The first major security flaw has been uncovered in Kubernetes, the popular container orchestration system developed by Google. The vulnerability, identified as CVE-2018-1002105, carries a critical CVSS V3 rating of 9.8 due to low attack complexity, requiring no special privileges, and a network attack vector.

The vulnerability is triggered when specially crafted requests allow users to establish a connection through the Kubernetes API sever to a backend sever. Attackers can use this established channel to execute arbitrary requests on that backend.

In default configurations, any user, even unauthenticated ones, are capable of performing requests to exploit this vulnerability, greatly enhancing the possibility of mass exploitation.

To further compound the issue, no internal method of detecting exploitation of this vulnerability exists. Since the unauthorized malicious requests are performed over a valid, trusted connection, they do not appear in the Kubernetes API server audit log. Use of monitoring tools to detect unauthorized changes can help to indicate compromise and are highly beneficial in cases such as this.

Users of hosted Kubernetes solutions should be informed as to whether their provider has applied patches. Both Microsoft Azure Kubernetes Service (AKS) and Google Kubernetes Engine (GKE) have been upgraded to non-vulnerable versions; other providers may still be working on fixing the issue.

For users running their own Kubernetes systems, fixes for this vulnerability exist in versions 1.10.11, 1.11.5, 1.12.3 and 1.13.0-rc1. Users can and should obtain patches from the open source release artifacts or their software vendors.

Mitigations for CVE-2018-1002105 include disabling anonymous requests and suspending use of aggregated API servers, which will likely be disruptive in any operating environment.

Updating to a non-vulnerable version as soon as possible is highly encouraged.

Recent Articles By Author
  • Achieve CIS Compliance in Cloud, Container and DevOps (Read more...)

*** This is a Security Bloggers Network syndicated blog from The State of Security authored by Ben Layer. Read the original post at: https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/critical-vulnerability-uncovered-in-kubernetes/

December 4, 2018December 4, 2018 Ben Layer 0 Comments CVSS, Cyber Security, Kubernetes, Latest Security News, vulnerability
  • ← Hide ‘N Seek Botnet expands | Avast
  • Using Innocent Roles to Hide Admin Users →

Predict 2019 Virtual Summit

Featured Blog

Secure Code Warrior

Why financial institutions are leading the charge to upskill their developers in secure coding

Secure Code Warrior

Why SQL Injections Are The Cockroaches of the AppSec World (and how CISOs can eradicate them once and for all)

Secure Code Warrior

A Brighter Future For DevSecOps? It’s Closer Than You Think

Subscribe to our Newsletters

Get breaking news, free eBooks and upcoming events delivered to your inbox.
  • View Security Boulevard Privacy Policy

Most Read on the Boulevard

Two Dozen Click Fraud Apps Found in Google Play
6 Ways to Improve Your Security Posture Using Critical Security Controls
Business Email Compromise Gang Targeted 50,000 Company Executives
5 Challenges Utilities Will Face in Preparing for New FERC Security Standards
Email Spam Campaign Targets U.S. Retail, Restaurant Sectors
Business Continuity and Disaster Recovery: Your Organization’s Safety Plan
An Update from San Francisco
What Cyberstalking Is and How to Prevent It
What is the Purpose of Active Directory?
Six ‘Lessons Learned’ For Mitigating DDoS Attacks

Upcoming Webinars

Thu 13

Inside a Docker Cryptojacking Exploit

December 13 @ 1:00 pm - 2:00 pm

More Webinars

Download Free eBook

Mobile-to-Mainframe: The Definitive Guide to Achieving Compliance

CISO/Security Vendor Relationship Series

CISO/Security Vendor Relationship Podcast

Recent Security Boulevard Chats

  • Cloud, DevSecOps and Network Security, All Together?
  • Security-as-Code with Tim Jefferson, Barracuda Networks
  • ASRTM with Rohit Sethi, Security Compass
  • Deception: Art or Science, Ofer Israeli, Illusive Networks
  • Tips to Secure IoT and Connected Systems w/ DigiCert

Industry Spotlight

Major DNS Threats: Preventing DNS Hijacking and Leaks
Cybersecurity Data Security Industry Spotlight Security Boulevard (Original) 

Major DNS Threats: Preventing DNS Hijacking and Leaks

December 10, 2018 Zehra Ali | 2 hours ago 0
AI/ML in Security: Know What You’re Buying
Analytics & Intelligence Cybersecurity Industry Spotlight Security Boulevard (Original) 

AI/ML in Security: Know What You’re Buying

December 7, 2018 John Omernik | 3 days ago 0
6 Ways to Improve Your Security Posture Using Critical Security Controls
Cybersecurity Industry Spotlight Network Security Security Boulevard (Original) 

6 Ways to Improve Your Security Posture Using Critical Security Controls

December 6, 2018 Destiny Bertucci | 4 days ago 0

Top Stories

Two Dozen Click Fraud Apps Found in Google Play
Featured Malware Mobile Security News Security Boulevard (Original) Spotlight Threats & Breaches 

Two Dozen Click Fraud Apps Found in Google Play

December 7, 2018 Lucian Constantin | 2 days ago 0
Email Spam Campaign Targets U.S. Retail, Restaurant Sectors
Endpoint Featured Identity & Access Malware News Security Boulevard (Original) Spotlight 

Email Spam Campaign Targets U.S. Retail, Restaurant Sectors

December 7, 2018 Lucian Constantin | 2 days ago 0
North Korean APT Group Targets Academia via Malicious Chrome Extensions
Endpoint Featured Malware News Security Boulevard (Original) Spotlight Threats & Breaches Vulnerabilities 

North Korean APT Group Targets Academia via Malicious Chrome Extensions

December 6, 2018 Lucian Constantin | 3 days ago 0

Join the Community

  • Add your blog to Security Bloggers Network
  • Write for Security Boulevard
  • Bloggers Meetup and Awards
  • Ask a Question
  • Email: info@securityboulevard.com

Useful Links

  • About
  • Media Kit
  • Sponsors Info
  • Copyright
  • TOS
  • Privacy Policy

Other Mediaops Sites

  • Container Journal
  • DevOps.com
  • DevOps Connect
  • DevOps Institute
Copyright © 2018 MediaOps Inc. All rights reserved.

Our website uses cookies. By continuing to browse the website you are agreeing to our use of cookies. For more information on how we use cookies and how you can disable them, please read our Privacy Policy.