Alibaba Cloud has fixed vulnerability CVE-2018-1002105 for Container Service for Kubernetes (ACK). This topic describes the impact and how to fix the vulnerability.

Background

Vulnerability CVE-2018-1002105 is discovered by the Kubernetes community. Kubernetes users can send requests to the API Server of a Kubernetes cluster through established connections and perform privilege escalation to access backend services. Alibaba Cloud has fixed this vulnerability at the earliest opportunity. You can log on to the ACK console and upgrade the Kubernetes version for your clusters.

For more information about vulnerability CVE-2018-1002105, see CVE-2018-1002105.

Affected versions

  • Kubernetes v1.0.x-1.9.x
  • Kubernetes v1.10.0-1.10.10 (fixed in v1.10.11)
  • Kubernetes v1.11.0-1.11.4 (fixed in v1.11.5)
  • Kubernetes v1.12.0-1.12.2 (fixed in v1.12.3)

Affected cluster configurations

  • ACK clusters where an extension API Server is set up and the extension API Server can directly connect to kube-apiserver.
  • ACK clusters that expose the pod exec/attach/portforward interface to users. Users can exploit the vulnerability to gain full permissions on the kebelet API.

ACK cluster configurations

  • By default, role based access control (RBAC) is enabled for API Servers of ACK clusters. Anonymous users that are not authorized by Alibaba Cloud accounts are prohibited to call certain APIs. In addition, anonymous-auth=false is added to the startup parameters of kubelet to control external access.
  • Resource Access Management (RAM) users of multi-tenant ACK clusters can perform unauthorized access through the pod exec/attach/portforward interface. You do not need to be concerned if your clusters have only administrator accounts.
  • By default, RAM users that are not authorized by Alibaba Cloud accounts cannot access the Aggregation API.

Fixes

Log on to the ACK console and upgrade your clusters. For more information, see Upgrade a cluster.
  • If your clusters use Kubernetes 1.11.2, upgrade to Kubernetes 1.11.5.
  • If your clusters use Kubernetes 1.10.4, upgrade to Kubernetes 1.10.11 or 1.11.5.
  • If your clusters use Kubernetes 1.9 or earlier, upgrade to Kubernetes 1.10.11 or 1.11.5. When you upgrade Kubernetes 1.9 to 1.10 or 1.11, you must first upgrade FlexVolume in the ACK cluster if cloud disks are mounted to your cluster.
    Note In the ACK console, select the cluster for which you want to upgrade FlexVolume. In the navigation pane, choose More > Upgrade System Component. On the Upgrade System Component page, select flexvolume and click Upgrade.

The security of serverless Kubernetes (ASK) clusters has been reinforced before this vulnerability is introduced. Therefore, ASK clusters are not affected.