Another Week, Another Kubernetes Security Flaw
The latest security vulnerability discovered within the Kubernetes cluster orchestrator could allow intruders to access, modify or delete computing and storage resources configured across a cluster.
The flaw in the Kubernetes server API, designated CVE-2019-11247, allows access and deletion of those “custom resources.” Intruders could access cluster-wide resources with only standard role-based access control, or RBAC, permissions.
This week’s security vulnerability is the latest to plague the popular cluster orchestrator that is gaining widespread enterprise deployment for handling growing volumes of distributed applications.
In the latest instance, Kubernetes security monitors said “a user with access only to a resource in one namespace could create, view update or delete the cluster-scoped resource (according to their namespace role privileges).”
Previous releases of Kubernetes have emphasized security along with stability as vulnerabilities are exposed in accelerating enterprise deployments. Among the upgrades are expanded security for application containers running on the Microsoft Azure cloud.
StackRox, the application container runtime security vendor, noted in a blog post that companies not using a Kubernetes feature called “custom resource definitions” would be unaffected by the latest vulnerability. However, the company goes on to note, “CRDs have become a critical component of many Kubernetes-native projects like Istio, so many users are impacted.”
Istio is the “service mesh” intended to connect application components and thereby boost the capabilities of the Kubernetes cluster orchestrator.
Despite the access vulnerabilities, StackRox recommends using the Kubernetes RBACs.
The Kubernetes vulnerability is rated “medium-severity.” However, the security threat is expected to grow with the accelerating adoption of custom resources used to manage cluster functionality. In one example, StackRox noted that Istio service meshes often create dozens of resource definitions for configuring clusters.
As new tools like Istio help boost the capabilities of Kubernetes, intruders have more “attack surfaces” to probe as they hunt for vulnerabilities.
Remediation steps recommended by the Kubernetes security monitors are here.
The security issue was first reported by a software engineer at Verizon Digital Media.