Kubernetes, one of the most popular cloud container orchestration systems, has been hit by a flaw. The bug, now fixed, is called VCE--025 and was deemed a critical security . Although the fix is in, users must upgrade to the latest version, which isn’t always easy for administrators. 

The bug allowed malicious users to send specially crafted requests through the Kubernetes API server to a backend server. Kubernetes’ own transport layer security credentials are used for authentication. Once is established, actors could gain to all secrets, pods, environment variables, running pd/container processes, and persistent volumes.

This bug applies to all commercial versions of Kubernetes. Red Hat commented that the bug was a major problem and indicated that bad actors could not only steal sensitive data, but also inject malicious code and bring down productions applications and services on the inside of a company’s firewall. 

Those using Kubernetes are encouraged to contact the commercial distributor of their version for corrective action. Anyone utilizing Kubernetes v1.0 – 1.9.x should stop immediately, and upgrade. No malicious abuses of the hole have been reported to date. 



Source link
thanks you RSS link
( http://feedproxy..com/~r//~3/GdYKn0MJ3eM/05)

LEAVE A REPLY

Please enter your comment!
Please enter your name here