Kubernetes, one of the most popular cloud container orchestration systems, has been hit by a security flaw. The bug, now fixed, is called VCE-2018-1002105 and was deemed a critical security hole. Although the fix is in, users must upgrade to the latest Kubernetes version, which isn’t always easy for administrators.
The bug allowed malicious users to send specially crafted requests through the Kubernetes API server to a backend server. Kubernetes’ own transport layer security credentials are used for authentication. Once access is established, actors could gain access to all secrets, pods, environment variables, running pd/container processes, and persistent volumes.
This bug applies to all commercial versions of Kubernetes. Red Hat commented that the bug was a major problem and indicated that bad actors could not only steal sensitive data, but also inject malicious code and bring down productions applications and services on the inside of a company’s firewall.
Those using Kubernetes are encouraged to contact the commercial distributor of their version for corrective action. Anyone utilizing Kubernetes v1.0 – 1.9.x should stop immediately, and upgrade. No malicious abuses of the hole have been reported to date.