SoylentNews is people
SoylentNews
from the just-make-containers-all-the-way-down dept.
First major security flaw in popular cloud container orchestrator Kubernetes discovered – and it may be impossible to tell if you have been compromised
As outlined on Redhat’s website, the security hole or “privilege escalation flaw” is a nasty piece of work. In a nutshell, it makes it possible for any user to gain full administrator privileges on any compute node being run in a Kubernetes cluster.
[...] The vulnerability itself is located in the Kubernetes API server. Using a specially crafted connection request, the hacker can connect through the Kubernetes API server direct to the backend. Once in the network, they can then send arbitrary requests over the same connection to the backend server.
Perhaps most alarmingly, the Kubernetes API server connections to the backend are all authenticated with Kubernetes Transport Layer Security (TLS) credentials – meaning all the nefarious connections appear above board and applications functioning as normal.
[...] “There is no simple way to detect whether this vulnerability has been used. Because the unauthorized requests are made over an established connection, they do not appear in the Kubernetes API server audit logs or server log. The requests do appear in the kubelet or aggregated API server logs, but are indistinguishable from correctly authorized and proxied requests via the Kubernetes API server,” reads the post.
It doesn’t take a whole lot of hacking-nous or access privileges to take advantage of the flaw, either: “In default configurations, all users (authenticated and unauthenticated) are allowed to perform discovery API calls that allow this escalation,” continues the post.
[...] It remains to be seen whether the security flaw has been used to attack any Kubernetes user.
(Score: 0) by Anonymous Coward on Wednesday December 05 2018, @11:51AM (4 children)
I don't know. But apparently you do care enough to whinge about it. Good show!
(Score: 0) by Anonymous Coward on Wednesday December 05 2018, @12:00PM (1 child)
Such a waste of time waiting for something I can troll in a professional way.
How is that Brexit going?
(Score: 0) by Anonymous Coward on Wednesday December 05 2018, @12:20PM
A fair point. It's not too often that there are articles on here about your profession (knob-jockey to the poofy punters). But perhaps if you wait long enough...
Now get back to work! Quick as you like, matey!
WTF should I care? I'm no limey bastard!
(Score: 2) by DannyB on Wednesday December 05 2018, @03:50PM (1 child)
Gyou cgould switgh tgo kde gbut it ghas ksuch kdifferent gnaming konventions.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 0) by Anonymous Coward on Thursday December 06 2018, @04:21AM
Oh Danny Boy [youtube.com]!
You're displaying [urbandictionary.com] your [oxforddictionaries.com] ignorance [merriam-webster.com]. Again [dictionary.com].
Carry on, ya damp squib!