CVE-2018-1002105

In all Kubernetes versions prior to v1.10.11, v1.11.5, and v1.12.3, incorrect handling of error responses to proxied upgrade requests in the kube-apiserver allowed specially crafted requests to establish a connection through the Kubernetes API server to backend servers, then send arbitrary requests over the same connection directly to the backend, authenticated with the Kubernetes API server's TLS credentials used to establish the backend connection.
References
Link Resource
https://groups.google.com/forum/#!topic/kubernetes-announce/GVllWCg6L88 Mailing List Third Party Advisory
https://github.com/kubernetes/kubernetes/issues/71411 Mitigation Issue Tracking Patch Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3754 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3752 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3742 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3624 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3598 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3551 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3549 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3537 Third Party Advisory
http://www.securityfocus.com/bid/106068 VDB Entry Third Party Advisory
https://github.com/evict/poc_CVE-2018-1002105 Exploit Third Party Advisory
https://www.exploit-db.com/exploits/46053/ Exploit Third Party Advisory VDB Entry
https://www.exploit-db.com/exploits/46052/ VDB Entry Exploit Third Party Advisory
https://www.coalfire.com/The-Coalfire-Blog/December-2018/Kubernetes-Vulnerability-What-You-Can-Should-Do Mitigation Third Party Advisory
https://security.netapp.com/advisory/ntap-20190416-0001/ Third Party Advisory
http://www.openwall.com/lists/oss-security/2019/06/28/2
http://www.openwall.com/lists/oss-security/2019/07/06/3
http://www.openwall.com/lists/oss-security/2019/07/06/4
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00041.html
Advertisement

NeevaHost hosting service

Configurations

Configuration 1 (hide)

OR cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*
cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*
cpe:2.3:a:kubernetes:kubernetes:1.9.12:beta0:*:*:*:*:*:*
cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*
cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:a:redhat:openshift_container_platform:3.3:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform:3.2:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform:3.5:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform:3.6:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform:3.8:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform:3.4:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform:3.10:*:*:*:*:*:*:*

Configuration 3 (hide)

cpe:2.3:a:netapp:trident:-:*:*:*:*:*:*:*

Information

Published : 2018-12-05 13:29

Updated : 2019-06-28 14:15


NVD link : CVE-2018-1002105

Mitre link : CVE-2018-1002105


JSON object : View

CWE
CWE-388

7PK - Errors

Advertisement

dedicated server usa

Products Affected

netapp

  • trident

kubernetes

  • kubernetes

redhat

  • openshift_container_platform