Kubernetes Dashboard TLS Certificate Leak
Severity
High
Vendor
Pivotal Cloud Foundry
Description
Kubernetes Dashboard before 1.10.1 allows attackers to bypass authentication and use Dashboard's Service Account for reading secrets within the cluster.
Affected VMware Products and Versions
Severity is high unless otherwise noted.
- Pivotal Container Service (PKS) all versions prior to 1.2.5
Mitigation
Users of affected versions should apply the following mitigation:
- Releases that have fixed this issue include:
- Pivotal Container Service (PKS) version 1.2.5
References
- https://www.cloudfoundry.org/blog/cve-2018-18264/
- https://groups.google.com/d/msg/kubernetes-security-discuss/jvMKMOkFW8U/KloclNQZEQAJ
History
2019-01-04: Initial vulnerability report published