Kubernetes is the world’s most popular open source technology to date, after Linux. A relatively younger technology (less than 5 years old) has had a smooth ride so far, but it hit the bumpy road this week when the first vulnerability was discovered.
A vulnerability free career path of one of the most widely used technology is an impressive feat and shows the work developers are putting into the project. What’s even better is that unlike proprietary technologies where vulnerabilities are not fixed even for months (think if Intel), the Kubernetes community fixed it immediately and companies from both side of the pond – private cloud vendors like Red Hat and public cloud providers like Microsoft – have already pushed the patches to users.
Kubernetes v1.10.11, v1.11.5, and v1.12.3 have been released to address the fix. The issue is also addressed in the upcoming v1.13.0 release.
But let’s talk about the vulnerability itself. Dubbed, CVE-2018-1002105, the Kubernetes privilege escalation flaw makes it possible for a malicious user to gain full administrator privileges on any compute node being run in a Kubernetes cluster, Red Hat explained in a blog post.
“This is a big deal. Not only can this actor steal sensitive data or inject malicious code, but they can also bring down production applications and services from within an organization’s firewall,” said Ashesh Badani of Red Hat.
Kubernetes developers suggests all clusters running previous versions update to one of these releases immediately.