Summary
Question
CNCF Kubernetes (K8s) has published a security alert about a privilege escalation vulnerability in its API server that can be exploited in the default configuration of K8s:
Kubernetes CVE-2018-1002105: "Proxy request handling in kube-apiserver can leave vulnerable TCP connections"
https://nvd.nist.gov/vuln/detail/CVE-2018-1002105
https://github.com/kubernetes/kubernetes/issues/71411
This document describes the impact of the Kubernetes vulnerability in the context of Micro Focus Container Deployment Foundation (CDF)-based products, and a recommended additional mitigation to the CDF configuration of Kubernetes.
Affected Products and Releases
Micro Focus products listed below are based on the Micro Focus Container Deployment Foundation (CDF) include Kubernetes in a customized configuration.
ITOM Containerized Suites
| Product | Release |
|---|---|
| ITOM Service Management Automation (SMA) | All releases, 2017.xx to 2018.11 |
Answer
ACTION: Review all details in instructions provided in this paper to address the vulnerability.
Micro Focus recommends addressing this information as soon as possible.
Impacts
Micro Focus Container Deployment Foundation installs Kubernetes with a configuration that differs from the default setup that is assumed in CVE-2018-1002105. Anonymous users are not authorized to access CDF’s
Kubernetes API server, and therefore are unable to exploit the Kubernetes vulnerability to escalate from low-level privileges. Also, aggregated API services are not deployed by CDF in the Kubernetes cluster. Given that CDF is enforcing API client authentication by default, it is possible to also apply the specific mitigation that Kubernetes recommends in its security alert as an additional measure without the disruptive impact that is mentioned in the alert.
Mitigation Actions
The following action plan applies to all product and releases noted above.
Micro Focus recommends as an additional measure to add --anonymous-auth=false as a startup parameter of the Kubernetes API server as advised in the CVE alert.
A script to apply this configuration change is attached to this article:
Note: Do not attempt to change the K8s apiserver configuration file using a text editor, as this may cause a failure in the restart of the K8S API server.
Perform the following steps on all master nodes to change the API server configuration:
1. Log in as root user
2. Download the patch-apiserver.sh script to a local directory, for example,
$K8S_HOME/scripts.
3. Go to the directory where you put the patch script file. For example, run the following command:
cd $K8S_HOME/scripts
4. Run the patch script with the following commands:
chmod u+x patch-apiserver.sh
./patch-apiserver.sh
Note: The apiserver POD will get restarted automatically after you run the commands. The API server may be
unavailable for several seconds, but the application containers will continue to run without downtime.
Do not attempt to change the apiserver configuration file using a text editor, as this may cause a failure in the
restart of the Kubernetes API server.