Essa é a versão completa de impressão dessa seção Clique aqui para imprimir.
Problemas e Alertas de Segurança do Kubernetes
1 - Rastreador de Issue Kubernetes
Para reportar um problema de segurança, siga processo de divulgação de segurança do Kubernetes.
O trabalho no código do Kubernetes e os problemas de segurança podem ser encontrados usando issues do GitHub.
- Lista oficial de CVEs conhecidos (vulnerabilidades de segurança) que foram anunciados pelo comitê de resposta de segurança
- Questões relacionadas ao CVE
Anúncios relacionados à segurança são enviados para a lista de discussão kubernetes-security-announce@googlegroups.com.
2 - Feed Oficial de CVE
Kubernetes v1.27 [beta]
Esta é uma lista, mantida pela comunidade, de CVEs oficiais anunciadas pelo Comitê de Resposta de Segurança do Kubernetes. Veja Informações de Segurança e Divulgação do Kubernetes para mais detalhes.
O projeto Kubernetes publica um Feed JSON, que pode ser programaticamente acessado, de questões de segurança publicadas. Você pode acessá-lo executando o seguinte comando:
curl -Lv https://k8s.io/docs/reference/issues-security/official-cve-feed/index.json
ID da CVE | Resumo da issue | URL da issue relacionada à CVE no GitHub |
---|---|---|
CVE-2024-10220 | Arbitrary command execution through gitRepo volume | #128885 |
CVE-2024-9594 | VM images built with Image Builder with some providers use default credentials during builds | #128007 |
CVE-2024-9486 | VM images built with Image Builder and Proxmox provider use default credentials | #128006 |
CVE-2024-7646 | Ingress-nginx Annotation Validation Bypass | #126744 |
CVE-2024-5321 | Incorrect permissions on Windows containers logs | #126161 |
CVE-2024-3744 | azure-file-csi-driver discloses service account tokens in logs | #124759 |
CVE-2024-3177 | Bypassing mountable secrets policy imposed by the ServiceAccount admission plugin | #124336 |
CVE-2023-5528 | Insufficient input sanitization in in-tree storage plugin leads to privilege escalation on Windows nodes | #121879 |
CVE-2023-5044 | Code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation | #126817 |
CVE-2023-5043 | Ingress nginx annotation injection causes arbitrary command execution | #126816 |
CVE-2022-4886 | ingress-nginx path sanitization can be bypassed | #126815 |
CVE-2023-3955 | Insufficient input sanitization on Windows nodes leads to privilege escalation | #119595 |
CVE-2023-3893 | Insufficient input sanitization on kubernetes-csi-proxy leads to privilege escalation | #119594 |
CVE-2023-3676 | Insufficient input sanitization on Windows nodes leads to privilege escalation | #119339 |
CVE-2023-2431 | Bypass of seccomp profile enforcement | #118690 |
CVE-2023-2728 | Bypassing policies imposed by the ImagePolicyWebhook and bypassing mountable secrets policy imposed by the ServiceAccount admission plugin | #118640 |
CVE-2023-2727 | Bypassing policies imposed by the ImagePolicyWebhook and bypassing mountable secrets policy imposed by the ServiceAccount admission plugin | #118640 |
CVE-2023-2878 | secrets-store-csi-driver discloses service account tokens in logs | #118419 |
CVE-2022-3294 | Node address isn't always verified when proxying | #113757 |
CVE-2022-3162 | Unauthorized read of Custom Resources | #113756 |
CVE-2022-3172 | Aggregated API server can cause clients to be redirected (SSRF) | #112513 |
CVE-2021-25749 | `runAsNonRoot` logic bypass for Windows containers | #112192 |
CVE-2021-25748 | Ingress-nginx `path` sanitization can be bypassed with newline character | #126814 |
CVE-2021-25746 | Ingress-nginx directive injection via annotations | #126813 |
CVE-2021-25745 | Ingress-nginx `path` can be pointed to service account token file | #126812 |
CVE-2021-25742 | Ingress-nginx custom snippets allows retrieval of ingress-nginx serviceaccount token and secrets across all namespaces | #126811 |
CVE-2021-25741 | Symlink Exchange Can Allow Host Filesystem Access | #104980 |
CVE-2021-25737 | Holes in EndpointSlice Validation Enable Host Network Hijack | #102106 |
CVE-2021-3121 | Processes may panic upon receipt of malicious protobuf messages | #101435 |
CVE-2021-25735 | Validating Admission Webhook does not observe some previous fields | #100096 |
CVE-2020-8554 | Man in the middle using LoadBalancer or ExternalIPs | #97076 |
CVE-2020-8566 | Ceph RBD adminSecrets exposed in logs when loglevel >= 4 | #95624 |
CVE-2020-8565 | Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9 | #95623 |
CVE-2020-8564 | Docker config secrets leaked when file is malformed and log level >= 4 | #95622 |
CVE-2020-8563 | Secret leaks in kube-controller-manager when using vSphere provider | #95621 |
CVE-2020-8557 | Node disk DOS by writing to container /etc/hosts | #93032 |
CVE-2020-8559 | Privilege escalation from compromised node to cluster | #92914 |
CVE-2020-8558 | Node setting allows for neighboring hosts to bypass localhost boundary | #92315 |
CVE-2020-8555 | Half-Blind SSRF in kube-controller-manager | #91542 |
CVE-2020-10749 | IPv4 only clusters susceptible to MitM attacks via IPv6 rogue router advertisements | #91507 |
CVE-2019-11254 | kube-apiserver Denial of Service vulnerability from malicious YAML payloads | #89535 |
CVE-2020-8552 | apiserver DoS (oom) | #89378 |
CVE-2020-8551 | Kubelet DoS via API | #89377 |
CVE-2020-8553 | ingress-nginx auth-type basic annotation vulnerability | #126818 |
CVE-2019-11251 | kubectl cp symlink vulnerability | #87773 |
CVE-2018-1002102 | Unvalidated redirect | #85867 |
CVE-2019-11255 | CSI volume snapshot, cloning and resizing features can result in unauthorized volume data access or mutation | #85233 |
CVE-2019-11253 | Kubernetes API Server JSON/YAML parsing vulnerable to resource exhaustion attack | #83253 |
CVE-2019-11250 | Bearer tokens are revealed in logs | #81114 |
CVE-2019-11248 | /debug/pprof exposed on kubelet's healthz port | #81023 |
CVE-2019-11249 | Incomplete fixes for CVE-2019-1002101 and CVE-2019-11246, kubectl cp potential directory traversal | #80984 |
CVE-2019-11247 | API server allows access to custom resources via wrong scope | #80983 |
CVE-2019-11245 | container uid changes to root after first restart or if image is already pulled to the node | #78308 |
CVE-2019-11243 | rest.AnonymousClientConfig() does not remove the serviceaccount credentials from config created by rest.InClusterConfig() | #76797 |
CVE-2019-11244 | `kubectl:-http-cache=<world-accessible dir>` creates world-writeable cached schema files | #76676 |
CVE-2019-1002100 | json-patch requests can exhaust apiserver resources | #74534 |
CVE-2018-1002105 | proxy request handling in kube-apiserver can leave vulnerable TCP connections | #71411 |
CVE-2018-1002101 | smb mount security issue | #65750 |
CVE-2018-1002100 | Kubectl copy doesn't check for paths outside of it's destination directory. | #61297 |
CVE-2017-1002102 | atomic writer volume handling allows arbitrary file deletion in host filesystem | #60814 |
CVE-2017-1002101 | subpath volume mount handling allows arbitrary file access in host filesystem | #60813 |
CVE-2017-1002100 | Azure PV should be Private scope not Container scope | #47611 |
CVE-2017-1000056 | PodSecurityPolicy admission plugin authorizes incorrectly | #43459 |
Este feed é automaticamente atualizado, mas com um pequeno atraso perceptível (minutos a horas), desde o momento em que um CVE é anunciado até o momento em que é acessível neste feed.
A fonte deste feed é um conjunto de issues do GitHub, filtrado pelo rótulo controlado e restrito official-cve-feed
. Os dados brutos são armazenados em um Google Cloud Bucket que é somente escrito por um pequeno número de membros confiáveis da Comunidade.