CloudBees recommendations for Kubernetes CVE-2018-1002105

Article ID:360020896071
2 minute readKnowledge base

Issue

On Monday, December 3, 2018, critical vulnerability, CVE-2018-1002105, was announced for Kubernetes.

Environment

  • Your Kubernetes Cluster

Recommendations

While CloudBees does not provide Kubernetes support; we do realize many of our customers may have questions about this CVE and look to us for guidance and direction. This article offers our recommendations and provides links to additional resources.

Background

The CVE is CVE-2018-1002105. The CVE is in the National Vulnerability Database CVE-2018-1002105 awaiting analysis.

The problem is that an unprivileged request is not fully terminated, resulting in the potential to escalate rights to cluster admin level. For a high-level overview, there is the Kubernetes Privilege Escalation Flaw Explained video by Red Hat. This ZDNet summary article offers an executive summary. These links, Kubernetes project’s GitHub repository, Gravitational’s CVE-2018-1002105 summary, and Red Hat’s CVE-2018-1002105 summary, provide additional details.

Kubernetes updates 1.10.11,1.11.5 and 1.12.3 resolve this issue. Earlier versions of Kubernetes will not be updated, because they fall outside the supported releases. See Kubernetes Supported releases and component skew section of the Kubernetes Release Versioning documentation.

Recommendations

CloudBees recommends customers update their Kubernetes deployment to one of the fixed versions:

  • Kubernetes v1.10.0-1.10.10 (fixed in v1.10.11)

  • Kubernetes v1.11.0-1.11.4 (fixed in v1.11.5)

  • Kubernetes v1.12.0-1.12.2 (fixed in v1.12.3)

Recommendations for customers managing their Kubernetes clusters.

Here are links to security bulletins from VMWare and RedHat that may provide assistance.

Recommendations for customers using a managed Kubernetes solution.

If you are using a managed Kubernetes solution, your solution provider should have already upgraded your cluster for you. Google’s GKE, Microsoft’s AKS, and AWS’s EKS all have either already updated customer’s clusters or are in the process of doing so.

Here are links to security bulletins for GKE, AKS, EKS.

References

[1] Kubernetes GitHub repository, https://github.com/kubernetes/kubernetes/issues/71411

[2] Red Hat’s CVE-2018-1002105 summary, https://access.redhat.com/security/vulnerabilities/3716411

[3] NVD CVE-2018-1002105, https://nvd.nist.gov/vuln/detail/CVE-2018-1002105

[4] ZDNet’s summary article, https://www.zdnet.com/article/kubernetes-first-major-security-hole-discovered/

[5] Kubernetes Release Versioning documentation, https://github.com/kubernetes/sig-release/blob/master/release-engineering/versioning.md#kubernetes-release-versioning

[6] AKS CVE-2018-1002105 update, https://azure.microsoft.com/en-us/updates?id=aks-clusters-patched-for-kubernetes-vulnerability

[7] GKE Security Bulletins, https://cloud.google.com/anthos/clusters/docs/security-bulletins

[8] AWS AWS-2018-020 Security Bulletin, https://aws.amazon.com/security/security-bulletins/AWS-2018-020/

[9] Gravitational’s CVE-2018-1002105 summary - https://goteleport.com/blog/kubernetes-websocket-upgrade-security-vulnerability/