プラットフォーム
kubernetes
コンポーネント
kube-rbac-proxy
修正版
0.4.2
CVE-2019-3818 affects kube-rbac-proxy versions up to 0.4.1, specifically within Red Hat OpenShift Container Platform deployments. This vulnerability stems from the proxy's failure to properly enforce TLS configurations, permitting the use of insecure ciphers and the outdated TLS 1.0 protocol. Successful exploitation could compromise the confidentiality of data transmitted over TLS connections.
An attacker exploiting CVE-2019-3818 could target traffic traversing the kube-rbac-proxy with a weak TLS configuration. By leveraging techniques like downgrade attacks or cipher suite selection, they could potentially decrypt sensitive information exchanged between components. This could lead to unauthorized access to Kubernetes API data, including authentication tokens, service account credentials, and other critical configuration details. The blast radius extends to any application or service relying on the kube-rbac-proxy for authorization and authentication within the OpenShift environment. While the CVSS score is LOW, the potential for data exfiltration and privilege escalation warrants immediate attention.
CVE-2019-3818 was publicly disclosed on February 5, 2019. There is no indication of active exploitation campaigns targeting this vulnerability. Public proof-of-concept exploits are not widely available, but the theoretical possibility of exploitation remains. The vulnerability is not currently listed on the CISA KEV catalog.
Organizations utilizing Red Hat OpenShift Container Platform with kube-rbac-proxy versions prior to 0.4.1 are at risk. This includes environments relying on OpenShift's built-in RBAC features and those with custom applications integrated with the platform's authentication and authorization mechanisms.
• kubernetes / server:
kubectl get pods -n kube-system | grep kube-rbac-proxy• kubernetes / server:
kubectl describe pod <kube-rbac-proxy-pod> -n kube-system | grep -i tls• kubernetes / server:
journalctl -u kube-rbac-proxy -f | grep -i "TLS configuration"disclosure
エクスプロイト状況
EPSS
0.07% (23% パーセンタイル)
CVSS ベクトル
The primary mitigation for CVE-2019-3818 is upgrading kube-rbac-proxy to version 0.4.1 or later. This version incorporates the necessary fixes to enforce secure TLS configurations. If an immediate upgrade is not feasible, consider implementing temporary workarounds such as deploying a Web Application Firewall (WAF) or reverse proxy in front of kube-rbac-proxy to restrict the use of weak ciphers and disable TLS 1.0. Regularly review and update TLS configurations to adhere to industry best practices. After upgrade, confirm proper TLS configuration by verifying cipher suite usage and TLS protocol version.
kube-rbac-proxy をバージョン 0.4.1 以降にアップデートしてください。これにより、TLS 設定が修正され、安全でない暗号スイートと TLS 1.0 の使用が防止され、TLS 接続のセキュリティが強化されます。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2019-3818 is a LOW severity vulnerability in kube-rbac-proxy versions ≤0.4.1 allowing insecure ciphers and TLS 1.0, potentially compromising data encryption.
You are affected if you are using Red Hat OpenShift Container Platform with kube-rbac-proxy versions 0.4.1 or earlier.
Upgrade kube-rbac-proxy to version 0.4.1 or later. As a temporary workaround, implement WAF rules to restrict weak ciphers.
There's no current evidence of active exploitation, but the vulnerability remains a potential risk.
Refer to the Red Hat security advisory for details: https://access.redhat.com/security/cve/CVE-2019-3818