Skip to main content
All posts tagged “security”

I'm often asked why we started CoreOS. I've written before about our mission to secure the internet. Recently, I was challenged further: Why do you care about securing the internet? This question gets at the heart of CoreOS, and deserves a well articulated answer. Securing the internet is key to preserving our privacy, and ultimately our freedoms.

Background on the Stack Clash

Security researchers at Qualys recently disclosed new techniques to exploit stack allocations on several operating systems, even in the face of a number of security measures. Qualys was able to find numerous local-root exploits — exploits which allow local users of a system to gain root privileges — by applying stack allocation techniques against various pieces of userspace software.

An admission plugin security vulnerability related to PodSecurityPolicies was patched with the release of Kubernetes v1.5.5. This vulnerability could allow users to make use of any PodSecurityPolicies object, including those they are not authorized to use.

Am I affected by this vulnerability?

This vulnerability only affects Kubernetes v1.5.0-1.5.4 and, more specifically, installations that do all of the following:

A critical security bug has been found and fixed in Kubernetes TLS client authentication. This vulnerability affects Kubernetes v1.4.2 and older, and has been fixed in Kubernetes v1.4.3 and higher.

Identifying Affected Systems

To determine if a Kubernetes cluster is currently running a vulnerable version, run:

Update 2 (May 19): Read the post-mortem blog post dissecting this vulnerability and the CoreOS response

Update 1 (May 16 04:28 PDT): 99% of affected hosts have been updated

We are happy to announce that Quay Security Scanner is now available in the latest release (v1.16.0) of Quay Enterprise, the on-premises version of the Quay container registry by CoreOS. This release marks the Quay Security Scanner feature as enterprise ready. When this feature is enabled in Quay Enterprise, all container images in the registry are indexed and cross-referenced against public vulnerability databases.

You may have heard that the open source project Clair by CoreOS recently released version 1.0. If you’ve been following along, you may also know that Quay’s Security Scanner, a container registry feature that analyzes container images for known vulnerabilities, is based on Clair. Quay Security Scanner now has an entirely new interface atop the Clair 1.0 APIs and PostgreSQL backend.

Clair, by CoreOS

Four months ago, CoreOS launched an

This week Go 1.5.3 was released to address a security vulnerability. CoreOS Linux itself and the CoreOS products shipped with it are not affected by this issue. Users of etcd and dex on other operating systems should take action.

Today we are releasing a new feature in beta, Security Scanning. Quay Security Scanning will automatically detect and report vulnerabilities in your containers. We have already scanned millions of containers on Quay with this feature, and found that nearly 80% are subject to major vulnerabilities, such as Heartbleed.

Subscribe to security