Plateforme
kubernetes
Composant
kube-rbac-proxy
Corrigé dans
0.4.2
CVE-2019-3818 affects kube-rbac-proxy versions up to 0.4.1, specifically within Red Hat OpenShift Container Platform deployments. This vulnerability stems from the proxy's failure to properly enforce TLS configurations, permitting the use of insecure ciphers and the outdated TLS 1.0 protocol. Successful exploitation could compromise the confidentiality of data transmitted over TLS connections.
An attacker exploiting CVE-2019-3818 could target traffic traversing the kube-rbac-proxy with a weak TLS configuration. By leveraging techniques like downgrade attacks or cipher suite selection, they could potentially decrypt sensitive information exchanged between components. This could lead to unauthorized access to Kubernetes API data, including authentication tokens, service account credentials, and other critical configuration details. The blast radius extends to any application or service relying on the kube-rbac-proxy for authorization and authentication within the OpenShift environment. While the CVSS score is LOW, the potential for data exfiltration and privilege escalation warrants immediate attention.
CVE-2019-3818 was publicly disclosed on February 5, 2019. There is no indication of active exploitation campaigns targeting this vulnerability. Public proof-of-concept exploits are not widely available, but the theoretical possibility of exploitation remains. The vulnerability is not currently listed on the CISA KEV catalog.
Organizations utilizing Red Hat OpenShift Container Platform with kube-rbac-proxy versions prior to 0.4.1 are at risk. This includes environments relying on OpenShift's built-in RBAC features and those with custom applications integrated with the platform's authentication and authorization mechanisms.
• kubernetes / server:
kubectl get pods -n kube-system | grep kube-rbac-proxy• kubernetes / server:
kubectl describe pod <kube-rbac-proxy-pod> -n kube-system | grep -i tls• kubernetes / server:
journalctl -u kube-rbac-proxy -f | grep -i "TLS configuration"disclosure
Statut de l'Exploit
EPSS
0.07% (percentile 23%)
Vecteur CVSS
The primary mitigation for CVE-2019-3818 is upgrading kube-rbac-proxy to version 0.4.1 or later. This version incorporates the necessary fixes to enforce secure TLS configurations. If an immediate upgrade is not feasible, consider implementing temporary workarounds such as deploying a Web Application Firewall (WAF) or reverse proxy in front of kube-rbac-proxy to restrict the use of weak ciphers and disable TLS 1.0. Regularly review and update TLS configurations to adhere to industry best practices. After upgrade, confirm proper TLS configuration by verifying cipher suite usage and TLS protocol version.
Mettez à jour kube-rbac-proxy à la version 0.4.1 ou supérieure. Cela corrige la configuration TLS pour éviter l'utilisation de chiffrements non sécurisés et de TLS 1.0, renforçant ainsi la sécurité des connexions TLS.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2019-3818 is a LOW severity vulnerability in kube-rbac-proxy versions ≤0.4.1 allowing insecure ciphers and TLS 1.0, potentially compromising data encryption.
You are affected if you are using Red Hat OpenShift Container Platform with kube-rbac-proxy versions 0.4.1 or earlier.
Upgrade kube-rbac-proxy to version 0.4.1 or later. As a temporary workaround, implement WAF rules to restrict weak ciphers.
There's no current evidence of active exploitation, but the vulnerability remains a potential risk.
Refer to the Red Hat security advisory for details: https://access.redhat.com/security/cve/CVE-2019-3818
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.