On Monday, December 3, 2018, critical vulnerability, CVE-2018-1002105, was announced for Kubernetes.
While CloudBees does not provide Kubernetes support; we do realize many of our customers may have questions about this CVE and look to us for guidance and direction. This article offers our recommendations and provides links to additional resources.
The problem is that an unprivileged request is not fully terminated, resulting in the potential to escalate rights to cluster admin level. For a high-level overview, there is the Kubernetes Privilege Escalation Flaw Explained video by Red Hat. This ZDNet summary article offers an executive summary. These links, Kubernetes project’s GitHub repository, Gravitational’s CVE-2018-1002105 summary, and Red Hat’s CVE-2018-1002105 summary, provide additional details.
Kubernetes updates 1.10.11,1.11.5 and 1.12.3 resolve this issue. Earlier versions of Kubernetes will not be updated, because they fall outside the supported releases. See Kubernetes Supported releases and component skew section of the Kubernetes Release Versioning documentation.
CloudBees recommends customers update their Kubernetes deployment to one of the fixed versions:
Kubernetes v1.10.0-1.10.10 (fixed in v1.10.11)
Kubernetes v1.11.0-1.11.4 (fixed in v1.11.5)
Kubernetes v1.12.0-1.12.2 (fixed in v1.12.3)
Here are links to security bulletins from VMWare and RedHat that may provide assistance.
If you are using a managed Kubernetes solution, your solution provider should have already upgraded your cluster for you. Google’s GKE, Microsoft’s AKS, and AWS’s EKS all have either already updated customer’s clusters or are in the process of doing so.
Here are links to security bulletins for GKE, AKS, EKS.
 Kubernetes GitHub repository, https://github.com/kubernetes/kubernetes/issues/71411
 Red Hat’s CVE-2018-1002105 summary, https://access.redhat.com/security/vulnerabilities/3716411
 NVD CVE-2018-1002105, https://nvd.nist.gov/vuln/detail/CVE-2018-1002105
 ZDNet’s summary article, https://www.zdnet.com/article/kubernetes-first-major-security-hole-discovered/
 Kubernetes Release Versioning documentation, https://github.com/kubernetes/sig-release/blob/master/release-engineering/versioning.md#kubernetes-release-versioning
 AKS CVE-2018-1002105 update, https://azure.microsoft.com/en-us/updates/aks-clusters-patched-for-kubernetes-vulnerability/
 GKE Security Bulletins, https://cloud.google.com/kubernetes-engine/docs/security-bulletins
 AWS AWS-2018-020 Security Bulletin, https://aws.amazon.com/security/security-bulletins/AWS-2018-020/
 Gravitational’s CVE-2018-1002105 summary - https://gravitational.com/blog/kubernetes-websocket-upgrade-security-vulnerability/