The Kubernetes community found a “high” severity security flaw in a component of the platform that could delete files on a user’s workstation. The latest security blip comes on the heels of the latest Kubernetes release and the platform’s first major security flaw that was announced late last year.
The latest flaw, dubbed CVE-2019-1002101, impacts the Kubernetes kubectl cp command. If compromised, the flaw could allow an attacker to write files to any path on the user’s machine.
Kubectl, which is pronounced “cube-cuddle,” is a command line interface (CLI) for running commands against Kubernetes clusters. It basically allows for the copying of files between containers and the user’s machine.
The latest security issue was initially found earlier this month by Ariel Zelivansky, a security researcher at Twistlock. He explained that the new flaw was linked to a patch that was sent out last year.
Developers are asked to update their kubectl versions to Kubernetes 1.11.9, 1.12.7, 1.13.5, and 1.14.0 to fix the issue. Most major Kubernetes distros have also sent out updates to their managed platforms.
Rani Osnat, vice president of product marketing at Aqua Security, noted that the latest bug wasn’t “as severe as some other CVEs that were disclosed since exploiting it is quite difficult and requires a rogue container to be used inside the cluster.” He added that Kubernetes users should “remember to use only trusted images, use best practices like the [Center for Internet Security Kubernetes] benchmark, and monitor their clusters for any suspicious behavior.”
A kubectl security update was included in the Kubernetes 1.10 release from a year ago, which provided an extension point with external kubectl credential providers. This allows cloud providers, vendors, and developers to release binary plugins that can handle authentication for specific cloud-provider identity and access management (IAM) services.
The Kubernetes project earlier this week released its latest platform update, 1.14, which was somewhat light on specific security updates. However, it does provide for a hardened set of default role-based access control (RBAC) policies that are designed to improve the privacy and security posture for clusters.
Aaron Crickenberger, release lead for the latest Kubernetes update, noted in an email to SDxCentral that the Kubernetes community does not view security as something tied to specific updates and instead is “something to be continually evaluated and improved.”
“There were numerous bug fixes and security fixes included in this release – as with any Kubernetes release – but few were as visible to people (or succinctly describable) as this RBAC change,” Crickenberger explained. He did add that deeper work was ongoing through the Security Audit Working Group that was established last year.
The Kubernetes 1.13 release last December was marred by the discovery of a “critical” flaw that gave hackers full administrative privileges on any compute node being run in a Kubernetes cluster. The flaw, which was discovered by a software engineer at Rancher Labs, garnered a 9.8 (critical) score out of 10 on the Common Vulnerability Scoring System (CVSS).
Osnat said that Kubernetes is a “complex system and it’s bound to have vulnerabilities. The fact that CVE disclosures are becoming more commonplace is a good thing, as is the fact that they’re not all severe.”