Skip to main content
All posts tagged “security”

Background on the Stack Clash

Security researchers at Qualys recently disclosed new techniques to exploit stack allocations on several operating systems, even in the face of a number of security measures. Qualys was able to find numerous local-root exploits — exploits which allow local users of a system to gain root privileges — by applying stack allocation techniques against various pieces of userspace software.

An admission plugin security vulnerability related to PodSecurityPolicies was patched with the release of Kubernetes v1.5.5. This vulnerability could allow users to make use of any PodSecurityPolicies object, including those they are not authorized to use.

Am I affected by this vulnerability?

This vulnerability only affects Kubernetes v1.5.0-1.5.4 and, more specifically, installations that do all of the following:

A critical security bug has been found and fixed in Kubernetes TLS client authentication. This vulnerability affects Kubernetes v1.4.2 and older, and has been fixed in Kubernetes v1.4.3 and higher.

Identifying Affected Systems

To determine if a Kubernetes cluster is currently running a vulnerable version, run:

Update 2 (May 19): Read the post-mortem blog post dissecting this vulnerability and the CoreOS response

Update 1 (May 16 04:28 PDT): 99% of affected hosts have been updated

We are happy to announce that Quay Security Scanner is now available in the latest release (v1.16.0) of Quay Enterprise, the on-premises version of the Quay container registry by CoreOS. This release marks the Quay Security Scanner feature as enterprise ready. When this feature is enabled in Quay Enterprise, all container images in the registry are indexed and cross-referenced against public vulnerability databases.

You may have heard that the open source project Clair by CoreOS recently released version 1.0. If you’ve been following along, you may also know that Quay’s Security Scanner, a container registry feature that analyzes container images for known vulnerabilities, is based on Clair. Quay Security Scanner now has an entirely new interface atop the Clair 1.0 APIs and PostgreSQL backend.

Clair, by CoreOS

Four months ago, CoreOS launched an

This week Go 1.5.3 was released to address a security vulnerability. CoreOS Linux itself and the CoreOS products shipped with it are not affected by this issue. Users of etcd and dex on other operating systems should take action.

Today we are releasing a new feature in beta, Security Scanning. Quay Security Scanning will automatically detect and report vulnerabilities in your containers. We have already scanned millions of containers on Quay with this feature, and found that nearly 80% are subject to major vulnerabilities, such as Heartbleed.

At CoreOS, running containers securely is a number one priority. We recently landed a number of features that are helping make CoreOS Linux a trusted and even more secure place to run containers. As of the 808.0.0 release, CoreOS Linux is tightly integrated with SELinux to enforce fine-grained permissions for applications. Building on top of these permissions, our container runtime, rkt, has gained support for SVirt in addition to a default SELinux policy.

Subscribe to security