54
devNews
6y

--- URGENT: Major security flaw in Kubernetes: Update Kubernetes at all costs! ---
Detailed info: https://github.com/kubernetes/...

If you are running any unpatched versions of Kubernetes, you must update now. Anyone might be able to send commands directly to your backend through a forged network request, without even triggering a single line in the log, making their attack practically invisible!

If you are running a version of Kubernetes below 1.10... there is no help for you. Upgrade to a newer version, e.g. 1.12.3.

Comments
  • 6
    Post written by @filthyranter
  • 28
  • 7
  • 14
    I am forwarding it to my coworkers, and if this was a stupid prank, imma report you
  • 7
    @dreadedghoul Dude, check the detailed info. Not a prank.
  • 8
    @filthyranter Thank you very much then for your services.
  • 3
    @dreadedghoul Check the project's Github
  • 3
    Definitely not a prank.
  • 4
    Thanks for the heads up! *runs off to check on stuff*
  • 3
    Don't run Kubernetes, but shared as good as I could 😅 Thanks!
  • 9
    Why such urgency? Common practice for security issues - especially critical ones like this - is reporting privately to the developer and giving them 3 months of time to fix it, and for users to update timely. Needless to say, private disclosure is not a huggin' public GitHub issue. That is *very* bad practice. Only after 3 months have passed, the project has fixed the issue and users that update their software regularly can be reasonably expected to have updated their software already, such an issue should be published by the researcher.

    Well, I guess that the dam has broken already. Fortunately I'm not running k8s anywhere here.
  • 3
    @Condor I don't like this approach either, but now that it's put on GitHub, all users of Kubernetes have to act.
  • 4
    @Condor I saw what you did there
    *looking for someone giving a hug* 😂
  • 3
    @beleg See previous devNews article
  • 3
    @filthyranter I did, and sorry, I couldn't resist
  • 5
    @beleg 🤗 for huggin' political correctness and censorship 😆

    Can't wait for the moment that this censorship becomes common and we despicable white cis males can go into any cafe and say "hey babe, wanna hug 😏" and when she gets angry, we can get away with it with "oh sorry I meant the 🤗 hug, not the *hug* hug, wink wink, nudge nudge 😏"

    Well, all's good for us despicable white cis males with this one I'd say 😝
  • 4
    @Condor But you forgot, hugging women is rape when a cishet does it as well.
  • 6
    @filthyranter hmm, we wiener-wielders can't do anything right, can we 🤔
    ... 😢.. bro, I don't even know what's right anymore 🤗😭

    So, I guess that I just raped a fellow white cis male over TCP/IP like that 🤔 is that a crime? I mean, given that those feminazis hate all men, I suspect that they might selectively ignore such a thing.. hmm 🤔

    Well, in their own words a hug is something positive and inclusive so there's that 🤗
  • 4
    @Condor Nah, cishets can't be raped because they have dicks, obviously.
  • 3
    @filthyranter
    *can't have tickles
    *they don't have sausages
  • 0
  • 1
    @EvilArcher That's a big bummer for them, as they won't be able to mitigate this issue before someone attacks, without any log entries whatsoever as well.
  • 1
    @EvilArcher They will get into trouble then.
  • -1
    Hmm, thanks for the information. We did not encounter such a problem, maybe because we are cooperating with https://volterra.io/solutions/... on this issue. There you can get professional expert advice at any time. Also, we did not receive messages of any changes.
  • 0
  • 1
    @lolapaluuza

    You know there's a "created_time" attribute in the api. Why don't you just take a look at its value so you won't raise the dead every time, like any other civilized bot does?
Add Comment