Platform
kubernetes
Component
kube-rbac-proxy
Fixed in
0.4.2
CVE-2019-3818 affects kube-rbac-proxy versions up to 0.4.1, specifically within Red Hat OpenShift Container Platform deployments. This vulnerability stems from the proxy's failure to properly enforce TLS configurations, permitting the use of insecure ciphers and the outdated TLS 1.0 protocol. Successful exploitation could compromise the confidentiality of data transmitted over TLS connections.
An attacker exploiting CVE-2019-3818 could target traffic traversing the kube-rbac-proxy with a weak TLS configuration. By leveraging techniques like downgrade attacks or cipher suite selection, they could potentially decrypt sensitive information exchanged between components. This could lead to unauthorized access to Kubernetes API data, including authentication tokens, service account credentials, and other critical configuration details. The blast radius extends to any application or service relying on the kube-rbac-proxy for authorization and authentication within the OpenShift environment. While the CVSS score is LOW, the potential for data exfiltration and privilege escalation warrants immediate attention.
CVE-2019-3818 was publicly disclosed on February 5, 2019. There is no indication of active exploitation campaigns targeting this vulnerability. Public proof-of-concept exploits are not widely available, but the theoretical possibility of exploitation remains. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.07% (23% percentile)
CVSS Vector
The primary mitigation for CVE-2019-3818 is upgrading kube-rbac-proxy to version 0.4.1 or later. This version incorporates the necessary fixes to enforce secure TLS configurations. If an immediate upgrade is not feasible, consider implementing temporary workarounds such as deploying a Web Application Firewall (WAF) or reverse proxy in front of kube-rbac-proxy to restrict the use of weak ciphers and disable TLS 1.0. Regularly review and update TLS configurations to adhere to industry best practices. After upgrade, confirm proper TLS configuration by verifying cipher suite usage and TLS protocol version.
Update kube-rbac-proxy to version 0.4.1 or later. This corrects the TLS configuration to prevent the use of insecure ciphers and TLS 1.0, strengthening the security of TLS connections.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2019-3818 is a LOW severity vulnerability in kube-rbac-proxy versions ≤0.4.1 allowing insecure ciphers and TLS 1.0, potentially compromising data encryption.
You are affected if you are using Red Hat OpenShift Container Platform with kube-rbac-proxy versions 0.4.1 or earlier.
Upgrade kube-rbac-proxy to version 0.4.1 or later. As a temporary workaround, implement WAF rules to restrict weak ciphers.
There's no current evidence of active exploitation, but the vulnerability remains a potential risk.
Refer to the Red Hat security advisory for details: https://access.redhat.com/security/cve/CVE-2019-3818
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.