Red Hat has disclosed a flaw in that was reported by the Kubernetes’ community that if left unpatched could give an unauthorised party the ability to escalate their privileges on Kubernetes installations, including Red Hat OpenShift.
The flaw, CVE-2018-1002105, is in Kubernetes 1.10 and higher and is rated as critical due to its ease of exploitation. It affects Red Hat OpenShift Container Platform 3.x, Red Hat OpenShift Online and Red Hat OpenShift Dedicated.
The vulnerability allows non-privileged users to access Kubernetes clusters and associated data. There are two potential ways of exploitation.
"The first involves abusing pod exec privileges granted to a normal user, and the second involves attacking the API extensions feature which provides the service catalogue and access to additional features in Kubernetes 1.6 and later," Red Hat said in a release.
Kubernetes is recommending all users apply the appropriate updates.
This article was originally published on SC Media US.