The vulnerability under the tag: CVE-2018-1002105 causes a critical security gap within the following Kubernetes versions
- Kubernetes v1.0.x-1.9.x
- Kubernetes v1.10.0-1.10.10 (fixed in v1.10.11)
- Kubernetes v1.11.0-1.11.4 (fixed in v1.11.5)
- Kubernetes v1.12.0-1.12.2
Our PaaS service Cloud Container Engine (CCE) was also affected. The platform has been patched on last Saturday (15.12.2018). Details can be found below and how clusters can be checked by yourself.
About the Vulnerability
Details about the vulnerability can be found in the following link: https://github.com/kubernetes/kubernetes/issues/71411. The most interesting part is the quote of Jordan Liggitt:
With a specially crafted request, users that are authorized to establish a connection through the Kubernetes API server to a backend server can then send arbitrary requests over the same connection directly to that backend, authenticated with the Kubernetes API server’s TLS credentials used to establish the backend connection.
The affected component is the Kubernetes API server which needs to be patched especially when it is accessible from external networks.
Patching CCEv2 (current service)
The CCEv2 service running Kubernetes version 1.9.2 has been patched according to community guidelines. Existing clusters were updated by script and are not vulnerable anymore. The current Kubernetes version is still 1.9.2 and we are working to publish the latest Kubernetes version, soon.
Patching CCEv1 (deprecated service)
The Kubernetes version used by CCEv1 is 1.7 and the extension-API is not used in this version. Anonymous access has been closed, so the vulnerability will not be triggered in CCEv1.
Verification of patched Clusters
The Kubernetes community provides tools to check existing clusters being affected or not. Please, refer to the link below to check your cluster's state: https://github.com/gravitational/cve-2018-1002105.
The output of a vulnerable cluster is:
Testing for unauthenticated access... > API allows unauthenticated access Testing for privilege escalation... > API is vulnerable to CVE-2018-1002105
The output of a patched cluster is:
$ ... Testing for unauthenticated access... Testing for privilege escalation... $