Plattform
kubernetes
Komponente
kube-rbac-proxy
Behoben in
0.4.2
CVE-2019-3818 affects kube-rbac-proxy versions up to 0.4.1, specifically within Red Hat OpenShift Container Platform deployments. This vulnerability stems from the proxy's failure to properly enforce TLS configurations, permitting the use of insecure ciphers and the outdated TLS 1.0 protocol. Successful exploitation could compromise the confidentiality of data transmitted over TLS connections.
An attacker exploiting CVE-2019-3818 could target traffic traversing the kube-rbac-proxy with a weak TLS configuration. By leveraging techniques like downgrade attacks or cipher suite selection, they could potentially decrypt sensitive information exchanged between components. This could lead to unauthorized access to Kubernetes API data, including authentication tokens, service account credentials, and other critical configuration details. The blast radius extends to any application or service relying on the kube-rbac-proxy for authorization and authentication within the OpenShift environment. While the CVSS score is LOW, the potential for data exfiltration and privilege escalation warrants immediate attention.
CVE-2019-3818 was publicly disclosed on February 5, 2019. There is no indication of active exploitation campaigns targeting this vulnerability. Public proof-of-concept exploits are not widely available, but the theoretical possibility of exploitation remains. The vulnerability is not currently listed on the CISA KEV catalog.
Organizations utilizing Red Hat OpenShift Container Platform with kube-rbac-proxy versions prior to 0.4.1 are at risk. This includes environments relying on OpenShift's built-in RBAC features and those with custom applications integrated with the platform's authentication and authorization mechanisms.
• kubernetes / server:
kubectl get pods -n kube-system | grep kube-rbac-proxy• kubernetes / server:
kubectl describe pod <kube-rbac-proxy-pod> -n kube-system | grep -i tls• kubernetes / server:
journalctl -u kube-rbac-proxy -f | grep -i "TLS configuration"disclosure
Exploit-Status
EPSS
0.07% (23% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2019-3818 is upgrading kube-rbac-proxy to version 0.4.1 or later. This version incorporates the necessary fixes to enforce secure TLS configurations. If an immediate upgrade is not feasible, consider implementing temporary workarounds such as deploying a Web Application Firewall (WAF) or reverse proxy in front of kube-rbac-proxy to restrict the use of weak ciphers and disable TLS 1.0. Regularly review and update TLS configurations to adhere to industry best practices. After upgrade, confirm proper TLS configuration by verifying cipher suite usage and TLS protocol version.
Aktualisieren Sie kube-rbac-proxy auf Version 0.4.1 oder höher. Dies korrigiert die TLS-Konfiguration, um die Verwendung unsicherer Chiffren und TLS 1.0 zu verhindern und die Sicherheit der TLS-Verbindungen zu erhöhen.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2019-3818 is a LOW severity vulnerability in kube-rbac-proxy versions ≤0.4.1 allowing insecure ciphers and TLS 1.0, potentially compromising data encryption.
You are affected if you are using Red Hat OpenShift Container Platform with kube-rbac-proxy versions 0.4.1 or earlier.
Upgrade kube-rbac-proxy to version 0.4.1 or later. As a temporary workaround, implement WAF rules to restrict weak ciphers.
There's no current evidence of active exploitation, but the vulnerability remains a potential risk.
Refer to the Red Hat security advisory for details: https://access.redhat.com/security/cve/CVE-2019-3818
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.