StarlingX

CVE-2018-1002105 Kubernetes priviledge escalation

Bug #1806749 reported by Bruce Jones on 2018-12-04

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	StarlingX	Fix Released	Medium	Frank Miller

Bug Description

A CVSS 9.8 issue has been found in Kubernetes.

https://github.com/kubernetes/kubernetes/issues/71411

https://www.zdnet.com/article/kubernetes-first-major-security-hole-discovered/

Tags:

CVE References

2018-1002105

Ken Young (kenyis) on 2018-12-10

tags:

added: stx.security

Revision history for this message

Ken Young (kenyis) wrote on 2018-12-10:

Assigning to Frank Miller, the containers team lead, to plan further how this CVE will be addressed. Given K8s is not part of the main code of Starling X yet, the plan to fix this code is up to the containers team. The ask from the security team is to correct this CVE before the release is complete.

Changed in starlingx:
importance:	Undecided → Medium
status:	New → Triaged
assignee:	nobody → Frank Miller (sensfan22)
tags:	added: stx.2019.03

Revision history for this message

Frank Miller (sensfan22) wrote on 2018-12-10:

We are currently running kubernetes-1.12.1 and the CVE indicates it is addressed in kubernetes-1.12.3. We'll work on identifying when is the right time to up-version to v1.12.3.

Ken Young (kenyis) on 2019-01-18

tags:

added: stx.2019.05
removed: stx.2019.03

Revision history for this message

Frank Miller (sensfan22) wrote on 2019-03-05:

This was addressed by the following:
https://review.openstack.org/#/c/632548/ (Uprev kubernetes to 1.12.3)

Changed in starlingx:
status:	Triaged → Fix Released

Ken Young (kenyis) on 2019-04-05

tags:

added: stx.2.0
removed: stx.2019.05

Ken Young (kenyis) on 2019-07-26

information type:

Private Security → Public

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.