Before Patched, Kubernetes Security Flaw Spread to OpenShift
A security flaw discovered in the de facto standard Kubernetes cloud container orchestrator allowed unauthorized users access to Kubernetes clusters and the data they contain.
The “privilege escalation vulnerability” announced Monday (Dec. 3) by developers affects versions 1.0 and higher of the Kubernetes orchestrator along with Red Hat OpenShift container platform. Red Hat rated the vulnerability as “critical,” denoting its potential impact on production operations.
Security researchers also noted that the vulnerability was easy to exploit, meaning it would allow “for the creation of new services that are not approved, potentially allowing for the injection of malicious code,” Red Hat warned. In one scenario, a hacker could gain cluster administration privileges to launch unauthorized services.
Red Hat released patches immediately after the flaw was reported to fix the security hole. Widely used automatic security updates would have installed the patch.
“This vulnerability allows specially crafted requests to establish a connection through the Kubernetes API server to backend servers (such as aggregated API servers and kubelets), then send arbitrary requests over the same connection directly to the backend, authenticated with the Kubernetes API server’s [transport layer security] credentials used to establish the backend connection,” explained Jordan Liggitt, a Kubernetes community security specialist.
(A kubelet is a component responsible for the workload running on an individual machine.)
Amir Jerbi, CTO and co-founder of Aqua Security, said the vulnerability was “based in a logical flaw in Kubernetes code,” and that users should upgrade to a secured version of Kubernetes. Along with patches, Jerbi said users should disable anonymous access to Kubernetes deployments.
Those quick fixes underscore how security teams react to the inevitable vulnerabilities that surface in enterprise distributions of open-source software, especially popular microservices platforms like Kubernetes that are widely used to deliver distributed applications. Hence, cloud security vendors are pitching new and faster ways to secure clusters and workloads running across public clouds.
“As new vulnerabilities emerge, companies need to be able to respond in real time, potentially building [security] policies on the fly to identify and then deprecate outdated or vulnerable systems,” said Brian Johnson, CEO of cloud security specialist DivvyCloud.
Kubernetes is fueling the shift to multi-cloud environments by enabling greater application portability as apps move among different servers. That shift also has upped the stakes for security, prompting cloud security vendors like DivvyCloud to recommend the replication of data across multiple cloud storage platforms.
“You need to make sure you spread yourself out so in the event you are compromised, you can protect yourself and isolate the area that has been compromised,” the company noted in a recent blog post. “This will allow you to maintain your running applications and deal with the situation in the other cloud provider.”