An Unpatched MiTM Vulnerability Affects All Kubernetes Version

An Unpatched MiTM Vulnerability Affects All Kubernetes Version

An unpatched MiTM vulnerability has been recently discovered and affects all versions of Kubernetes, as disclosed by Kubernetes Product Security. All Kubernetes versions are affected by this vulnerability, especially multi-tenant clusters that grant tenants the ability to create and update services.

An unpatched man-in-the-middle (MiTM) vulnerability has been recently discovered and affects all versions of Kubernetes, as disclosed by Kubernetes Product Security. It's a medium severity security (CVE-2020-8554) issue where attackers, who have the ability to create or edit services and pods, can intercept traffic from other pods (or nodes) in the cluster.

This vulnerability, reported by Etienne Champetier of Anevia, is a design flaw that cannot be mitigated without user-facing changes and a long-term fix is in the works.

In the recently published security advisory, Tim Allclair explained it further:

“An attacker that is able to create a ClusterIP service and set the spec.externalIPs field can intercept traffic to that IP. An attacker that is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.”

The Impact and the Extent of the Vulnerability

All Kubernetes versions are affected by this vulnerability, especially multi-tenant clusters that grant tenants the ability to create and update services.

Only a small number of Kubernetes deployments should be affected given the limited use of External IP services in multi-tenant clusters and granting tenant users with patch service/status permissions for LoadBalancer IPs is not recommended.

At this point in time, there’s no patch for this issue and restricting access to vulnerable features is the only way to mitigate it.

kubernetes

Bootstrap 5 Complete Course with Examples

Bootstrap 5 Tutorial - Bootstrap 5 Crash Course for Beginners

Nest.JS Tutorial for Beginners

Hello Vue 3: A First Look at Vue 3 and the Composition API

Building a simple Applications with Vue 3

Deno Crash Course: Explore Deno and Create a full REST API with Deno

How to Build a Real-time Chat App with Deno and WebSockets

Convert HTML to Markdown Online

HTML entity encoder decoder Online

50+ Useful Kubernetes Tools for 2020 - Part 2

Our original Kubernetes tool list was so popular that we've curated another great list of tools to help you improve your functionality with the platform.

Kubernetes in the Cloud: Strategies for Effective Multi Cloud Implementations

This article explains how you can leverage Kubernetes to reduce multi cloud complexities and improve stability, scalability, and velocity.

Kubernetes vs Docker

Get Hands-on experience on Kubernetes and the best comparison of Kubernetes over the DevOps at your place at Kubernetes training

Typical flow for deploying applications to Kubernetes

Get Hands-on experience on Kubernetes and the best comparison of Kubernetes over the DevOps at your place at Kubernetes training

Microsoft Announces General Availability Of Bridge To Kubernetes

Microsoft announced the general availability of Bridge to Kubernetes, formerly known as Local Process with Kubernetes.