2.7.3
2.7.2
CVE-2019-1010275 describes an improper certificate validation vulnerability within Helm, a package manager for Kubernetes. This flaw allows attackers to perform man-in-the-middle (MITM) attacks, potentially leading to the deployment of malicious Kubernetes charts. The vulnerability affects Helm versions prior to 2.7.2+incompatible, and a fix has been released. Promptly upgrading is crucial to secure your Kubernetes deployments.
The core of this vulnerability lies in Helm's failure to properly validate the certificates used during chart downloads and deployments. An attacker positioned between the client and the chart repository can intercept the communication, present a forged certificate, and inject malicious code into the chart. This malicious chart, once deployed, could compromise the entire Kubernetes cluster. Attackers could gain unauthorized access to sensitive data, escalate privileges, or even take complete control of the cluster. The impact is particularly severe because Helm is often used to automate complex deployments, making it a prime target for attackers seeking to gain widespread control.
This vulnerability was publicly disclosed in 2019. While no widespread exploitation campaigns have been definitively linked to CVE-2019-1010275, the potential for MITM attacks makes it a persistent risk. It is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are available, demonstrating the feasibility of the attack.
Organizations heavily reliant on Helm for Kubernetes deployments, particularly those using public or untrusted Helm repositories, are at significant risk. Environments with legacy Helm installations or those lacking robust network security controls are also particularly vulnerable.
• linux / server:
find /var/lib/helm/cache -type f -name '*.tgz' -printf '%P\n' | xargs sha256sum | grep -v 'expected_checksum'• generic web:
curl -I https://your-helm-repo.example.com/index.yaml | grep 'Server:'disclosure
patch
エクスプロイト状況
EPSS
0.30% (54% パーセンタイル)
CVSS ベクトル
The primary mitigation for CVE-2019-1010275 is to upgrade Helm to version 2.7.2+incompatible or later. If an immediate upgrade is not feasible due to compatibility issues, consider implementing stricter network controls to prevent unauthorized access to your Helm repositories. Verify that your Helm repositories are served over HTTPS and that you are using trusted certificate authorities. Additionally, implement a process for verifying the integrity of downloaded charts before deployment. After upgrading, confirm the fix by attempting a chart deployment and verifying that the certificate validation process is functioning correctly.
Helmをバージョン2.7.2以降にアップデートしてください。このバージョンでは、不正な証明書検証が修正され、未承認のクライアントがサーバーに接続できなくなります。アップデートは、Helmの公式サイトから新しいバージョンをダウンロードするか、対応するパッケージマネージャーを使用することで実行できます。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2019-1010275 is a critical vulnerability in Helm allowing man-in-the-middle attacks. It affects versions before 2.7.2+incompatible, enabling attackers to intercept and modify Kubernetes charts.
You are affected if you are using Helm versions prior to 2.7.2+incompatible. Check your Helm version and upgrade immediately if vulnerable.
Upgrade Helm to version 2.7.2+incompatible or later. If immediate upgrade is not possible, implement stricter network controls and chart verification processes.
While no widespread exploitation campaigns are confirmed, the vulnerability's potential makes it a persistent risk. Public proof-of-concept exploits exist.
Refer to the official Helm security advisory: https://security.helm.sh/advisories/CVE-2019-1010275
go.mod ファイルをアップロードすると、影響の有無を即座にお知らせします。