Kubernetes: Critical Security Bug in TLS Client Auth

October 20, 2016 · By Brandon Philips

A critical security bug has been found and fixed in Kubernetes TLS client authentication. This vulnerability affects Kubernetes v1.4.2 and older, and has been fixed in Kubernetes v1.4.3 and higher.

Identifying Affected Systems

To determine if a Kubernetes cluster is currently running a vulnerable version, run:

$ kubectl version | grep -i Server | sed  -n 's%.*GitVersion:"\([^"]*\).*%\1%p'
v1.4.0

This connects to the cluster and gets its version number. A cluster is affected if it doesn't print v1.4.3 or greater. Please ensure you are connecting to the right cluster while running this command.

Fixing Affected Tectonic Clusters

We have released Tectonic v1.4.3 which includes the Kubernetes v1.4.3 fix. For existing clusters we recommend migrating to a newer version. New clusters created on bare-metal and AWS started today are not affected.

Existing Tectonic on Bare Metal or AWS clusters can be upgraded using the usual cluster migration upgrade docs.

If you have any problems with upgrading to Tectonic v1.4.3 please contact our support team. Our team is on call to help.

Fixing Other Affected Kubernetes Clusters

CoreOS documents and releases additional tools to install Kubernetes which are community supported. These projects: coreos-kubernetes, bootkube, and coreos-baremetal have been updated to v1.4.3 for new clusters.

And there are upgrade guides for existing clusters:

If you have any problems with upgrading to Kubernetes v1.4.3 please contact the community support channels.

Incident Response

We are working as part of the Kubernetes community to make security responses rapid. This issue was reported in the public Kubernetes issue tracker 10 days ago and a fix was made 9 days ago. A public release announcement was made today. We know that the response time can be improved and we will share improvements to security response processes in a future post.