Canonical publishes auto-apply vulnerability patch for Kubernetes

Thibaut Rouffineau

on 4 December 2018

Tags: Charmed Kubernetes , Cloud security , k8s , kubernetes , Security

This article is more than 6 year s old.

Charmed distribution of Kubernetes clusters auto-apply vulnerability patches for CVE-2018-1002105

On December 3 2018,  the Kubernetes project disclosed a security vulnerability in all versions of its popular container orchestration software. The vulnerability, CVE-2018-1002105, exists in the Kubernetes API server, and allows an attacker to send arbitrary requests to backend cluster services, such as kubelets. The flaw effectively allows any user to gain full administrator privileges on any compute node in the cluster. Worse still, it is nearly impossible to detect whether the security hole has been exploited.

Patches have been released to fix the security flaw in all supported versions of Kubernetes, and are available in versions 1.10.11, 1.11.5, and 1.12.3. Although some non-upgrade mitigations are possible, they are likely to be disruptive, and the Kubernetes team strongly recommends upgrading to one of the patched versions listed above.

For users of the Charmed Distribution of Kubernetes (CDK), updating to the patched versions requires no manual intervention. As of December 4 2018 in the morning, CDK clusters running any supported version (1.10.x, 1.11.x, 1.12.x) will begin to receive and apply the patches automatically, thanks to the auto-updating nature of snap packages. For CDK users running versions older than 1.10, Canonical recommends upgrading to a supported version as soon as possible.

Kubernetes

What is Kubernetes?

Kubernetes, or K8s for short, is an open source platform pioneered by Google, which started as a simple container orchestration tool but has grown into a platform for deploying, monitoring and managing apps and services across clouds.

Learn more about Kubernetes ›

Give your platform the deep integration it needs

Canonical Kubernetes optimises your systems for any cloud, on a per-cloud basis. Maximise performance and deliver security and updates across your whole cloud. Per-cloud optimisations for performance, boot speed, and drivers on all major public clouds Out-of-the-box cloud integration with the option of enterprise-grade commercial support.

Get out-the-box integration with Canonical Kubernetes ›

Newsletter signup

Get the latest Ubuntu news and updates in your inbox.

By submitting this form, I confirm that I have read and agree to Canonical’s Privacy Policy.

Related posts

Canonical announces 12 year Kubernetes LTS 

Canonical’s Kubernetes LTS (Long Term Support) will support FedRAMP compliance and receive at least 12 years of committed security maintenance and enterprise...

The hitchhiker’s guide to infrastructure modernization

One of my favourite authors, Douglas Adams, once said that “we are stuck with technology when what we really want is just stuff that works.” Whilst Adams is...

SONiC: The open source network operating system for modern data centers

Software for Open Networking in the Cloud (SONiC) is an open-source network operating system that has revolutionized data center networking. Originating as a...