This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: A critical privilege escalation flaw in Kubernetes. The system fails to properly handle error responses during WebSocket upgrades.β¦
π οΈ **Root Cause**: Improper handling of error responses. Specifically, the API server does not correctly validate the WebSocket upgrade request context.β¦
βοΈ **Threshold**: Medium-High. β’ **Auth Required**: Yes, typically requires `create` and `get` privileges on `pods` and `pods/exec`. β’ **Config**: Can be exploited via authenticated API calls.β¦
π **Public Exploits**: YES. Multiple PoCs are available on GitHub (e.g., `gravitational/cve-2018-1002105`, `evict/poc_CVE-2018-1002105`). These tools can automatically check for vulnerability and even execute commands.
Q7How to self-check? (Features/Scanning)
π **Self-Check**: 1. Run the official test utility from Gravitational. 2. Check your Kubernetes version against the fixed versions. 3. Monitor API server logs for suspicious WebSocket upgrade requests.β¦
β **Official Fix**: YES. Patched in versions 1.10.11+, 1.11.5+, and 1.12.3+. Red Hat also issued advisories (RHSA-2018:3752, etc.) for their distributions.
Q9What if no patch? (Workaround)
π‘οΈ **No Patch Workaround**: β’ **Restrict Permissions**: Limit `pods/exec` and `pods/portforward` permissions in RBAC policies. β’ **Network Policies**: Block direct access to the API server from untrusted networks.β¦
π₯ **Urgency**: CRITICAL. This allows direct container escape and secret theft. If you are running an affected version, patch IMMEDIATELY. Do not wait for the next maintenance window.