Wednesday, December 11, 2019
  • The Old Authorized Third-Party Payment Processor Gambit, Eh?
  • Top 5 Cybersecurity Trends to Prepare for in 2020
  • DEF CON 27, Social Engineering Village, Micah Zenko’s ‘Red Teaming Insights And Examples From Beyond’
  • Five Identity and Access Management Predictions for 2020 and Beyond
  • Product Update: Sucuri Firewall in Sophia

Security Boulevard

The Home of the Security Bloggers Network

Community Chats Webinars Library
  • Home
    • Cybersecurity News
    • Features
    • Industry Spotlight
    • News Releases
  • Security Bloggers Network
    • Latest Posts
    • Contributors
    • Syndicate Your Blog
    • Write for Security Boulevard
  • Webinars
    • Upcoming
    • On-Demand
  • Chat
    • Security Boulevard Chat
    • Marketing InSecurity Podcast
  • Library

  • Analytics
  • AppSec
  • CISO
  • Cloud
  • DevOps
  • GRC
  • Identity
  • Incident Response
  • IoT / ICS
  • Threats / Breaches
  • More
    • Blockchain / Digital Currencies
    • Careers
    • Cyberlaw
    • Mobile
    • Social Engineering
  • Humor
Cloud Security SBN News Security Bloggers Network 

Home » Cybersecurity » Cloud Security » Critical Vulnerability Uncovered In Kubernetes

Critical Vulnerability Uncovered In Kubernetes

by Ben Layer on December 4, 2018

The first major security flaw has been uncovered in Kubernetes, the popular container orchestration system developed by Google. The vulnerability, identified as CVE-2018-1002105, carries a critical CVSS V3 rating of 9.8 due to low attack complexity, requiring no special privileges, and a network attack vector.

The vulnerability is triggered when specially crafted requests allow users to establish a connection through the Kubernetes API sever to a backend sever. Attackers can use this established channel to execute arbitrary requests on that backend.

In default configurations, any user, even unauthenticated ones, are capable of performing requests to exploit this vulnerability, greatly enhancing the possibility of mass exploitation.

To further compound the issue, no internal method of detecting exploitation of this vulnerability exists. Since the unauthorized malicious requests are performed over a valid, trusted connection, they do not appear in the Kubernetes API server audit log. Use of monitoring tools to detect unauthorized changes can help to indicate compromise and are highly beneficial in cases such as this.

Users of hosted Kubernetes solutions should be informed as to whether their provider has applied patches. Both Microsoft Azure Kubernetes Service (AKS) and Google Kubernetes Engine (GKE) have been upgraded to non-vulnerable versions; other providers may still be working on fixing the issue.

For users running their own Kubernetes systems, fixes for this vulnerability exist in versions 1.10.11, 1.11.5, 1.12.3 and 1.13.0-rc1. Users can and should obtain patches from the open source release artifacts or their software vendors.

Mitigations for CVE-2018-1002105 include disabling anonymous requests and suspending use of aggregated API servers, which will likely be disruptive in any operating environment.

Updating to a non-vulnerable version as soon as possible is highly encouraged.

*** This is a Security Bloggers Network syndicated blog from The State of Security authored by Ben Layer. Read the original post at: https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/critical-vulnerability-uncovered-in-kubernetes/

December 4, 2018December 4, 2018 Ben Layer CVSS, Cyber Security, Kubernetes, Latest Security News, vulnerability
  • ← Hide ‘N Seek Botnet expands | Avast
  • Using Innocent Roles to Hide Admin Users →
Featured Blog

Enzoic

Automate Password Policy & NIST Password Guidelines

Enzoic

Enzoic Customer Profile: IDShield

Enzoic

Old vs. New Methods for Employee Password Hardening

Enzoic

Shop Safely This Cyber Monday

Subscribe to our Newsletters

Get breaking news, free eBooks and upcoming events delivered to your inbox.
  • View Security Boulevard Privacy Policy

Most Read on the Boulevard

The Role of Technology in the Modern SOC
Lack of Mobile Strategy Creates Security Holes
Predictions 2020: Data Security Next Year and Beyond
AWS Previews Cloud Security Advances
Trend Micro Looks to the Cloud for Security
Amazon Battles Leaky S3 Buckets with a New Security Tool
Going After the Good Guys: The Government’s Ransomware Identity Crisis
Ransomware at Colorado IT Provider Affects 100+ Dental Offices
Social Engineers are No Match for Artificial Intelligence
United States Of American National Pearl Harbor Remembrance Day

Upcoming Webinars

There are no upcoming webinars at this time.

Download Free eBook

The Next Generation of Application Security

Recent Security Boulevard Chats

  • Cloud, DevSecOps and Network Security, All Together?
  • Security-as-Code with Tim Jefferson, Barracuda Networks
  • ASRTM with Rohit Sethi, Security Compass
  • Deception: Art or Science, Ofer Israeli, Illusive Networks
  • Tips to Secure IoT and Connected Systems w/ DigiCert

Industry Spotlight

Predictions 2020: Data Security Next Year and Beyond
Cybersecurity Data Security Industry Spotlight Security Boulevard (Original) 

Predictions 2020: Data Security Next Year and Beyond

December 10, 2019 Ameesh Divatia | Yesterday 0
The Role of Technology in the Modern SOC
Cybersecurity Incident Response Industry Spotlight Security Boulevard (Original) 

The Role of Technology in the Modern SOC

December 9, 2019 Jason Mical | 2 days ago 0
Learning From Health Care’s IoT Security Strategy
Cybersecurity Industry Spotlight IoT & ICS Security Security Boulevard (Original) 

Learning From Health Care’s IoT Security Strategy

December 6, 2019 Mike Nelson | Dec 06 0

Top Stories

Apple Passive-Aggressive PR Sparks Privacy Fear (Yet Again)
Cybersecurity Endpoint Featured Mobile Security News Security Boulevard (Original) Spotlight Threats & Breaches 

Apple Passive-Aggressive PR Sparks Privacy Fear (Yet Again)

December 6, 2019 Richi Jennings | Dec 06 0
StrandHogg Pwns 80% of Android Phones; Google Fiddles While Platform Burns
Cybersecurity Data Security Featured Malware Mobile Security News Security Awareness Security Boulevard (Original) Spotlight 

StrandHogg Pwns 80% of Android Phones; Google Fiddles While Platform Burns

December 3, 2019 Richi Jennings | Dec 03 0
TrueDialog Leaks 600GB of Personal Data, Affecting Millions
Cloud Security Cybersecurity Data Security Featured Governance, Risk & Compliance News Security Boulevard (Original) Spotlight 

TrueDialog Leaks 600GB of Personal Data, Affecting Millions

December 2, 2019 Richi Jennings | Dec 02 0

Security Humor

via the comic delivery system monikered Randall Munroe at XKCD !

XKCD, Flu Shot

Join the Community

  • Add your blog to Security Bloggers Network
  • Write for Security Boulevard
  • Bloggers Meetup and Awards
  • Ask a Question
  • Email: info@securityboulevard.com

Useful Links

  • About
  • Media Kit
  • Sponsors Info
  • Copyright
  • TOS
  • Privacy Policy
  • DMCA Compliance Statement

Other Mediaops Sites

  • Container Journal
  • DevOps.com
  • DevOps Connect
  • DevOps Institute
Copyright © 2019 MediaOps Inc. All rights reserved.
Our website uses cookies. By continuing to browse the website you are agreeing to our use of cookies. For more information on how we use cookies and how you can disable them, please read our Privacy Policy.