Skip to main content
close search
site logo
Dive Brief

Quick response to 1st major Kubernetes flaw could strengthen trust in the system

Published Dec. 5, 2018
By
Associate Editor
Adobe Stock

Dive Brief:

  • Red Hat issued a critical security advisory and patches for a privilege escalation flaw affecting all Kubernetes-based products and services on Monday. The company emphasized "this is a big deal."
  • The flaw in the open source system falls on an API server for management and orchestration that can be exploited to gain admin privileges to other machines in a cluster, opening the door for altering existing services or deploying nefarious code. It can also be used to compromise multiple running container instances — or pods — that are running on the same compute node as the pod a user has privileges to, affording read and write access to the host file system. 
  • Compared to prior issues, this vulnerability is more severe and broadly applicable, affecting every version since v1.0 and potentially every Kubernetes user, making it the first major security hole for the popular container orchestration system, according to Wei Lien Dang, VP of products for StackRox, in a statement provided to CIO Dive. 

Dive Insight:

The scope of the flaw makes it surprising that it wasn't found sooner, Dang said. The greatest concern is that exploitation of the flaw is difficult to detect, appearing as authorized use. 

The fix is a simple 37 lines of code — a testament to the "maturity and high quality" of Kubernetes' codebase, Dang said. 

But a timely code fix doesn't necessarily address other factors that the flaw might affect, according to Red Hat, such as specialized integration points. The patch could also negatively affect certain workloads, causing a hit to performance, or even downtime. 

Some customers will be less susceptible to the flaw, including companies that use managed Kubernetes offerings from providers such as Amazon Web Services, Microsoft Azure and Google Cloud Platform and companies with limited Kubernetes API server access to their network, according to Dang. Big providers such as Google Kubernetes Engine and Red Hat have already patched vulnerabilities. 

Customers that manage Kubernetes themselves will be at greater risk, and timely upgrades will depend on their practices and processes. Many breaches have been the result of a company failing to patch a known vulnerability, and the onus will fall on security teams to execute the patch in a timely manner. 

Businesses need to pay more attention to securing Kubernetes as it becomes "the OS of the cloud," or the de facto cloud-native orchestration platform, Dang said.

Open source supports many mission critical systems, and businesses packaging open source projects it into products need to be attentive to security risks for customers. 

Overall, the disclosure and quick patch response "will generate greater trust and credibility in the platform given the way it was handled," according to Dang. Big providers demonstrated that they can identify, fix and patch the serious security issue in a timely manner. 

Recommended Reading

Filed Under: Security, Software

Editors' picks

Company Announcements

View all | Post a press release
New Research Reveals AI's Impact on IT's Power, Status, and Pay
From 1E
November 21, 2024
PointFive is Apparently the Hottest Cloud Startup, Here is Why
From Jordan Mitchell
November 21, 2024
NeuBird Named a Cool Vendor in the 2024 Gartner® Cool Vendors™ in IT Operations Leveraging Gen…
From NeuBird
November 11, 2024
Viz.ai Wins Prestigious Prix Galien USA Award for Best Digital Health Solution
From Viz.ai
November 12, 2024
Editors' picks
Latest in Security
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell