The Kubernetes community recently discovered vulnerability CVE-2024-5321 related to Windows nodes. In the Container Service for Kubernetes (ACK) cluster with Windows nodes, the Windows built-in security group BUILTIN\Users may read container logs on the nodes, and the security group NT AUTHORITY\Authenticated Users may have permission to modify container logs on the nodes, leading to system security risks.
This vulnerability is rated as medium severity and its Common Vulnerability Scoring System (CVSS) score is 6.1. For more information about this vulnerability, see #126161.
Affected versions
The following community versions are affected by this vulnerability:
kubelet ≤ 1.27.15
kubelet ≤ 1.28.11
kubelet ≤ 1.29.6
kubelet ≤ 1.30.2
This vulnerability only affects clusters that contain Windows nodes. You can run the following command to check if there are Windows nodes in the cluster:
kubectl get nodes -l kubernetes.io/os=windowsSolution
If there are Windows nodes in your cluster, we recommend that you pay attention to the relevant announcements and upgrade the kubelet on nodes to fix the vulnerability. You can upgrade the kubelet by upgrading the node pool. For more information, see Update a node pool.