All Products
Search
Document Center

Container Service for Kubernetes:Vulnerability fixed: CVE-2018-1002105 in Kubernetes

Last Updated:Jan 29, 2024

Alibaba Cloud has fixed vulnerability CVE-2018-1002105 for Container Service for Kubernetes (ACK). This topic describes the impact and how to fix the vulnerability.

Background

Vulnerability CVE-2018-1002105 is discovered by the Kubernetes community. Kubernetes users can send requests to the API Server of a Kubernetes cluster through established connections and perform privilege escalation to access backend services. Alibaba Cloud has fixed this vulnerability. You can log on to the ACK console and upgrade the Kubernetes version for your clusters.

For more information about vulnerability CVE-2018-1002105, see CVE-2018-1002105.

Affected versions

  • Kubernetes v1.0.x-1.9.x

  • Kubernetes v1.10.0-1.10.10 (fixed in v1.10.11)

  • Kubernetes v1.11.0-1.11.4 (fixed in v1.11.5)

  • Kubernetes v1.12.0-1.12.2 (fixed in v1.12.3)

Affected cluster configurations

  • ACK clusters where an extension API Server is set up and the extension API Server can directly connect to kube-apiserver.

  • ACK clusters that expose the pod exec/attach/portforward interface to users. Attackers can exploit the vulnerability to gain full permissions on the kebelet API.

ACK cluster configurations

  • By default, role based access control (RBAC) is enabled for API Servers of ACK clusters. Anonymous users that are not authorized by Alibaba Cloud accounts are prohibited to call certain APIs. In addition, anonymous-auth=false is added to the startup parameters of kubelet to control external access.

  • Resource Access Management (RAM) users of multi-tenant ACK clusters can perform unauthorized access through the pod exec/attach/portforward interface. You do not need to be concerned if your clusters have only administrator accounts.

  • By default, RAM users that are not authorized by Alibaba Cloud accounts cannot access the Aggregation API.

Fixes

Log on to the ACK console and upgrade your clusters. For more information, see Update an ACK cluster or update only the control planes or node pools in an ACK cluster.

  • If your clusters use Kubernetes 1.11.2, upgrade to Kubernetes 1.11.5.

  • If your clusters use Kubernetes 1.10.4, upgrade to Kubernetes 1.10.11 or 1.11.5.

  • If your clusters use Kubernetes 1.9 or earlier, upgrade to Kubernetes 1.10.11 or 1.11.5. When you upgrade Kubernetes 1.9 to 1.10 or 1.11, you must first upgrade FlexVolume in the ACK cluster if cloud disks are mounted to your cluster.

    Note

    In the ACK console, select the cluster for which you want to upgrade FlexVolume. In the navigation pane, choose More > Upgrade System Component. On the Upgrade System Component page, select flexvolume and click Upgrade.

The security of ACK Serverless clusters has been reinforced before this vulnerability is introduced. Therefore, ACK Serverless clusters are not affected.