Advanced Computing in the Age of AI | Tuesday, June 28, 2022

Another Week, Another Kubernetes Security Flaw 

The latest security vulnerability discovered within the Kubernetes cluster orchestrator could allow intruders to access, modify or delete computing and storage resources configured across a cluster.

The flaw in the Kubernetes server API, designated CVE-2019-11247, allows access and deletion of those “custom resources.” Intruders could access cluster-wide resources with only standard role-based access control, or RBAC, permissions.

In response, Kubernetes security monitors who announced the vulnerability earlier this week pushed patch releases for the 1.13.9,1.14.5 and 1.15.2 versions of Kubernetes.

This week’s security vulnerability is the latest to plague the popular cluster orchestrator that is gaining widespread enterprise deployment for handling growing volumes of distributed applications.

In the latest instance, Kubernetes security monitors said “a user with access only to a resource in one namespace could create, view update or delete the cluster-scoped resource (according to their namespace role privileges).”

Previous releases of Kubernetes have emphasized security along with stability as vulnerabilities are exposed in accelerating enterprise deployments. Among the upgrades are expanded security for application containers running on the Microsoft Azure cloud.

StackRox, the application container runtime security vendor, noted in a blog post that companies not using a Kubernetes feature called “custom resource definitions” would be unaffected by the latest vulnerability. However, the company goes on to note, “CRDs have become a critical component of many Kubernetes-native projects like Istio, so many users are impacted.”

Istio is the “service mesh” intended to connect application components and thereby boost the capabilities of the Kubernetes cluster orchestrator.

Despite the access vulnerabilities, StackRox recommends using the Kubernetes RBACs.

The Kubernetes vulnerability is rated “medium-severity.” However, the security threat is expected to grow with the accelerating adoption of custom resources used to manage cluster functionality. In one example, StackRox noted that Istio service meshes often create dozens of resource definitions for configuring clusters.

As new tools like Istio help boost the capabilities of Kubernetes, intruders have more “attack surfaces” to probe as they hunt for vulnerabilities.

Remediation steps recommended by the Kubernetes security monitors are here.

The security issue was first reported by a software engineer at Verizon Digital Media.

About the author: George Leopold

George Leopold has written about science and technology for more than 30 years, focusing on electronics and aerospace technology. He previously served as executive editor of Electronic Engineering Times. Leopold is the author of "Calculated Risk: The Supersonic Life and Times of Gus Grissom" (Purdue University Press, 2016).

Add a Comment