[ANNOUNCE] Security release of dashboard v1.10.1 - CVE-2018-18264

24 views
Skip to first unread message

Jessie Frazelle

unread,
Jan 4, 2019, 11:58:36 AM1/4/19
to kuberne...@googlegroups.com, kubernetes-sec...@googlegroups.com, kubernetes-se...@googlegroups.com
Hello Kubernauts,

Happy new year!

A security issue was discovered in kubernetes dashboard versions
v1.10.0 or older. The issue is High if you are using custom
certificates for the dashboard. Upgrading to v1.10.1 of the dashboard
is encouraged to fix this issue.

**Am I vulnerable?**

If you are running the kubernetes dashboard version that has login
functionality (v1.7.0 - v1.10.0) and you use custom certificates you
are vulnerable.

**How can I mitigate the issue?**

Delete the dashboard:

kubectl --namespace kube-system delete deployment kubernetes-dashboard

**How do I upgrade?**

Follow the installation instructions at
https://github.com/kubernetes/dashboard/releases/tag/v1.10.1

**Vulnerability Details**

The TLS secrets for a Kubernetes Dashboard can be obtained by visiting
https://[DASHBOARD_HOST]/api/v1/secret/kube-system/kubernetes-dashboard-certs.
This occurs even if you have authentication via token enabled on the
dashboard.

If you were using custom certificates for the dashboard those will
need to be revoked because they may have been compromised. If you are
not using custom certificates you are safe since the default behavior
is to generate certs and store them in-memory.

This is being updated in the kubernetes addons here:
https://github.com/kubernetes/kubernetes/pull/72495 and will be
cherry-picked to the next patch version of 1.13.

**Thank you**

Thank you to Tomek Rabczak for the find and Sebastian Florek for the
coordination in making this release.

Thanks,

Jess on behalf of the Kubernetes Product Security Team


--


Jessie Frazelle
4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3
pgp.mit.edu
Reply all
Reply to author
Forward
0 new messages