Skip to main content
All posts tagged “security”

Today we are issuing patches for two newly disclosed security vulnerabilities affecting all versions of Tectonic and Kubernetes versions 1.3 through 1.10. The vulnerabilities have been assigned CVE-2017-1002101 and CVE-2017-1002102, respectively.

New releases of Container Linux addressing the Meltdown attack, caused by vulnerabilities in many modern processors, are now available in all three Container Linux release channels: Alpha 1649.0.0, Beta 1632.1.0, and Stable 1576.5.0. Updates are rolling out to the Alpha and Beta channels now, and should complete over the next 24-48 hours. By default, Container Linux will apply these updates automatically, but systems with non-default configurations should be manually updated as soon as possible.

A recent information disclosure vulnerability (CVE-2018-5256) was found and addressed in Tectonic, which affects versions 1.7 through 1.8. Unauthenticated users were able to list all Namespaces through the Console. In 1.8, which finalized the transition from Third Party Resources (TPRs) to Custom Resource Definitions (CRDs), the ability to list all CRDs was affected by the same bug. The intention of this API endpoint is to enable listing all namespaces by logged-in users.

CoreOS was founded with the mission of securing the internet, and containerized infrastructure is a big part of how we’re achieving that aim. That’s why we were gratified to see the new guidance on application container security issued by the National Institute of Standards and Technology (NIST). In many ways, the report affirms the core principles upon which CoreOS was founded.

With the release of Kubernetes 1.8, role-based access control (RBAC) has been promoted from beta to general availability. CoreOS, through our participation in the Kubernetes SIG Auth group, played a significant role in getting RBAC implemented in upstream Kubernetes. With its graduation to general availability, the feature and its core APIs can be considered stable.

Security researchers have recently discovered multiple remotely exploitable vulnerabilities affecting all users of Kubernetes 1.5.0 through 1.7.6. While the risk of an attacker successfully exploiting these flaws is relatively low, the vulnerabilities could potentially allow arbitrary code execution or DoS attacks and thus demand immediate attention. CoreOS Tectonic users can be assured, however, that patches are now available and can be applied with a single click or automatically, if configured.

Today, along with the rest of the Kubernetes community, we’re cheering the release of Kubernetes 1.8. The momentum within the community continues to grow as organizations embrace Kubernetes as the leading platform for container orchestration, and this release continues the Kubernetes community's commitment to security and extensibility with work on stabilizing existing features, even as new ones are added.

I'm often asked why we started CoreOS. I've written before about our mission to secure the internet. Recently, I was challenged further: Why do you care about securing the internet? This question gets at the heart of CoreOS, and deserves a well articulated answer. Securing the internet is key to preserving our privacy, and ultimately our freedoms.

Background on the Stack Clash

Security researchers at Qualys recently disclosed new techniques to exploit stack allocations on several operating systems, even in the face of a number of security measures. Qualys was able to find numerous local-root exploits — exploits which allow local users of a system to gain root privileges — by applying stack allocation techniques against various pieces of userspace software.

An admission plugin security vulnerability related to PodSecurityPolicies was patched with the release of Kubernetes v1.5.5. This vulnerability could allow users to make use of any PodSecurityPolicies object, including those they are not authorized to use.

Am I affected by this vulnerability?

This vulnerability only affects Kubernetes v1.5.0-1.5.4 and, more specifically, installations that do all of the following:

Subscribe to security
The website encountered an unexpected error. Please try again later.