It is the first known major security flaw within Kubernetes, which is complex software with a large codebase developed by Google.
Kubernetes is often used as a container, microservices, and portable cloud type platform.
The major vulnerability would allow unauthorized requests to essentially sneak in undetected and lead to a privilege escalation attack. Details were first published a few days ago on GitHub:
“Because the unauthorized requests are made over an established connection, they do not appear in the Kubernetes API server audit logs or server log… In default configurations, all users (authenticated and unauthenticated) are allowed to perform discovery API calls that allow this escalation.”
The good news—for some—is that patches are already out.
Says Wei Lien Dang, VP of Products at StackRox, which does security for containerized, cloud-native applications:
"Companies using managed Kubernetes via providers like AWS, Google, and Azure will be less susceptible. For example, Google Kubernetes Engine has already patched the vulnerability for its customers. Red Hat has also issued patched versions for its OpenShift platform. For customers who are managing Kubernetes themselves, how quickly they will upgrade to address this issue will depend on their specific processes and practices. Companies who are already limiting network access to the Kubernetes API server as a best practice will have less exposure."
And he says for such a massive and complex tool, the patch is amazingly small in scale:
"That the fix is so simple—just 37 lines of code—speaks to the maturity and high quality of the Kubernetes codebase."
SecureWorld readers will also like the headline on RedHat's blog about the Kubernetes vulnerability: "The Kubernetes privilege escalation flaw: Innovation still needs IT security expertise."
Why yes, yes it does!