Sep 19, 2022
A new vulnerability was reported on Sep 16th in kube-apiserver that allows an aggregated API server to redirect client traffic to any URL. As a result, the client may perform unexpected actions and share the API server credentials with third parties.
The aggregated API server extension in Kubernetes API server enables users to extend API server with alternative objects and paths. In contrast to CRDs (custom resource definitions), these objects are not managed by the API server, and all requests to these objects are sent to a handler endpoint.
Prior to the fixes, the API server returned HTTP 3xx responses “as is” to the client. If a malicious endpoint is accessed, the API server will sign his TLS response and redirect the client to the 3xx message content.
To read more
All Kubernetes clusters with the following versions that are running aggregated API servers are impacted.
Kubescape has developed a dedicated control – C-0089– in the ARMOBest framework verifying if this CVE exists in your cluster.
Please install or update to the latest Kubescape version from GitHub, or via the following command:
curl -s https://raw.githubusercontent.com/armosec/kubescape/master/install.sh | /bin/bash
To learn more
Aggregated API servers are a trusted part of the Kubernetes control plane, and configuring them is a privileged administrative operation. Ensure that only trusted cluster administrators are allowed to create or modify APIService configuration, and follow security best practices with any aggregated API servers that may be in use.
Fixed Versions
Security researchers at ARMO have found a high-severity vulnerability in the Kyverno admission controller container...
All the main K8s vulnerabilities from 2022 consolidated into one article. Read all about it...
Grafana Labs published a security advisory for a new critical vulnerability in its open-source product....
