Kubernetes is an open source platform that automates Linux container operations. It’s used for automating the deployment, scaling, and management of containerized applications. Its management interfaces are mainly used as an engineering/DevOps systems and should be protected.
Disclosed December 3, 2018
The vulnerability is in the Kubernetes API, which enables attackers to bypass permissions [CVE-2018-1002105]. This vulnerability has a CVSS score of 9.8 (critical) and it affects all versions from 1.0 through 1.9 and minor versions prior to v1.10.11.
- Update your version of Kubernetes. The patch is currently available in the following releases:
- Remove users with “anonymous access.” This is disabled on newer releases by default.
- We recommend adding a layer of protection and ensuring the Kubernetes API is not exposed to the Internet. Run the API only in a protected network, such as a Virtual Private Network (VPN) or behind a firewall system, that’s only accessible with strong authentication.