Slashdot Mirror

← Back to Stories (view on slashdot.org)

Kubernetes' First Major Security Hole Discovered (zdnet.com)

Posted by msmash on from the security-woes dept.

Kubernetes has become the most popular cloud container orchestration system by far, so it was only a matter of time until its first major security hole was discovered. And the bug, CVE-2018-1002105, aka the Kubernetes privilege escalation flaw, is a doozy. It's a CVSS 9.8 critical security hole. From a report: With a specially crafted network request, any user can establish a connection through the Kubernetes application programming interface (API) server to a backend server. Once established, an attacker can send arbitrary requests over the network connection directly to that backend. Adding insult to injury, these requests are authenticated with the Kubernetes API server's Transport Layer Security (TLS) credentials. Can you say root? I knew you could. Worse still, "In default configurations, all users (authenticated and unauthenticated) are allowed to perform discovery API calls that allow this escalation." So, yes, anyone who knows about this hole can take command of your Kubernetes cluster.

3 of 90 comments (clear)

  1. Containerization by sexconker · · Score: 1, Interesting

    I'd rather have 12 isolated VMs than 1 VM with 12 containers, or any amalgamation adding up to 12 containers.
    Storage is cheap. Memory isn't, but a minimal Linux install to support your software stack isn't exactly a big overhead in that regard.
    The only real benefit it brings is having fewer servers (physical or virtual) to manage/update, but you'll still have at least one, so either deal with it or script it.

  2. Re:Inside the firewall by phantomfive · · Score: 3, Interesting

    Except snowden was a system administrator and he did not use his own access to exfiltrate the documents, he used 'borrowed' credentials from people whose computers he was fixing.

    This sort of thing is why you can't completely stop internal threats. There are too many avenues of attack, and you can't shut them all without really slowing down things inside the business and causing problems.

    This is one of the unsolved problems of security.

    --
    "First they came for the slanderers and i said nothing."
  3. Re: So what's next after Kubernetes? by reanjr · · Score: 4, Interesting

    I think it mostly stems from lazy/bad app developers who can't figure out how to install their own app on anything but the one machine it was written on. Their answer is to add the entire OS install as a dependency rather than figure out how security or configuration works. After the whole industry switched from just requiring install dependencies to requiring entire running system snapshots to get anything working, tools like kubernetes were created to address the problems of their own creations.