UPDATED 22:37 EST / AUGUST 06 2019

SECURITY

Security audit reveals 34 vulnerabilities in Kubernetes code

An audit released today by the Cloud Native Computing Foundation has uncovered no fewer than 34 vulnerabilities in the code for Kubernetes, the highly popular open-source container orchestration system.

Of the vulnerabilities discovered, four were ranked as high-severity, 15 medium-severity, eight low-severity and seven of “informational” severity, which means no immediate danger, according to The Register. Containers are software that enables applications to be run unchanged across different computing environments.

Of the vulnerabilities, two stood out: one named CVE-2019-11247, which allows access to a cluster-scoped customer resource via an application programming interface, and another named CVE-2019-11249, a vulnerability that allows a malicious container to create or replace files.

The first vulnerability is described as serious by Karen Bruner from StackRox Inc., who noted that it could allow users to read, modify or delete cluster-wide custom resources.

“Although CVE-2019-11247 has been assigned a medium-severity CVSS score, it poses an especially serious threat when custom resources are used to manage functionality related to cluster or application security,” Bruner added. “For example, the Istio service mesh creates dozens of CRDs, both cluster-wide and namespaced, for its configuration.”

The initial CNCF audit, called Trail of Bits and available on GitHub, gave a somewhat mixed response to security in Kubernetes overall.

“The assessment team found configuration and deployment of Kubernetes to be non-trivial, with certain components having confusing default settings, missing operational controls, and implicitly designed security controls,” the report stated. “Also, the state of the Kubernetes codebase has significant room for improvement.”

The good news is that the Kubernetes has released updates for address the aforementioned security vulnerabilities. Versions 1.13.9, 1.14.5, and 1.15.2 were released on Monday to Kubernetes users with a recommendation that all clients update to one of these releases immediately.

That vulnerabilities were found in the code for Kubernetes doesn’t come as a great surprise given the rapid pace of development. As Google LLC software engineer Janet Kuo explained (below) to SiliconANGLE’s video studio theCUBE in May, Kubernetes continues to thrive despite complexity thanks to its strong support.

“The biggest thing about Kubernetes is the really strong community and ecosystem,” Kuo said at the time. “We’ve seen people building frameworks and different open-source platforms on top of Kubernetes.”

Image: Kubernetes

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU