48
devNews
6d

--- URGENT: Major security flaw in Kubernetes: Update Kubernetes at all costs! ---
Detailed info: https://github.com/kubernetes/...

If you are running any unpatched versions of Kubernetes, you must update now. Anyone might be able to send commands directly to your backend through a forged network request, without even triggering a single line in the log, making their attack practically invisible!

If you are running a version of Kubernetes below 1.10... there is no help for you. Upgrade to a newer version, e.g. 1.12.3.

Comments
  • 4
    Post written by @filthyranter
  • 25
  • 6
  • 11
    I am forwarding it to my coworkers, and if this was a stupid prank, imma report you
  • 6
    @dreadedghoul Dude, check the detailed info. Not a prank.
  • 6
    @filthyranter Thank you very much then for your services.
  • 3
    @dreadedghoul Check the project's Github
  • 3
    Definitely not a prank.
  • 4
    Thanks for the heads up! *runs off to check on stuff*
  • 3
    Don't run Kubernetes, but shared as good as I could 😅 Thanks!
  • 9
    Why such urgency? Common practice for security issues - especially critical ones like this - is reporting privately to the developer and giving them 3 months of time to fix it, and for users to update timely. Needless to say, private disclosure is not a huggin' public GitHub issue. That is *very* bad practice. Only after 3 months have passed, the project has fixed the issue and users that update their software regularly can be reasonably expected to have updated their software already, such an issue should be published by the researcher.

    Well, I guess that the dam has broken already. Fortunately I'm not running k8s anywhere here.
  • 3
    @Condor I don't like this approach either, but now that it's put on GitHub, all users of Kubernetes have to act.
  • 4
    @Condor I saw what you did there
    *looking for someone giving a hug* 😂
  • 3
    @beleg See previous devNews article
  • 3
    @filthyranter I did, and sorry, I couldn't resist
  • 5
    @beleg 🤗 for huggin' political correctness and censorship 😆

    Can't wait for the moment that this censorship becomes common and we despicable white cis males can go into any cafe and say "hey babe, wanna hug 😏" and when she gets angry, we can get away with it with "oh sorry I meant the 🤗 hug, not the *hug* hug, wink wink, nudge nudge 😏"

    Well, all's good for us despicable white cis males with this one I'd say 😝
  • 3
    @Condor But you forgot, hugging women is rape when a cishet does it as well.
  • 5
    @filthyranter hmm, we wiener-wielders can't do anything right, can we 🤔
    ... 😢.. bro, I don't even know what's right anymore 🤗😭

    So, I guess that I just raped a fellow white cis male over TCP/IP like that 🤔 is that a crime? I mean, given that those feminazis hate all men, I suspect that they might selectively ignore such a thing.. hmm 🤔

    Well, in their own words a hug is something positive and inclusive so there's that 🤗
  • 3
    @Condor Nah, cishets can't be raped because they have dicks, obviously.
  • 3
    @filthyranter
    *can't have tickles
    *they don't have sausages
  • 0
  • 2
    Haha. I just laugh at a *redacted* company that uses Kubernetes for site hosting/management, because I've implemented it there and I have resigned a month ago. Everything is running without a sysadmin in there perfectly fine, but there are no auto updates, so I just laugh.
  • 2
    @EvilArcher That's a big bummer for them, as they won't be able to mitigate this issue before someone attacks, without any log entries whatsoever as well.
  • 2
    @filthyranter I bet that they don't know about the issue yet and since I know that there isn't any sysadmin there, who knows what will happen?
  • 2
    @EvilArcher They will get into trouble then.
  • 2
Your Job Suck?
Get a Better Job
Add Comment