平台
kubernetes
组件
kube-rbac-proxy
修复版本
0.4.2
CVE-2019-3818 affects kube-rbac-proxy versions up to 0.4.1, specifically within Red Hat OpenShift Container Platform deployments. This vulnerability stems from the proxy's failure to properly enforce TLS configurations, permitting the use of insecure ciphers and the outdated TLS 1.0 protocol. Successful exploitation could compromise the confidentiality of data transmitted over TLS connections.
An attacker exploiting CVE-2019-3818 could target traffic traversing the kube-rbac-proxy with a weak TLS configuration. By leveraging techniques like downgrade attacks or cipher suite selection, they could potentially decrypt sensitive information exchanged between components. This could lead to unauthorized access to Kubernetes API data, including authentication tokens, service account credentials, and other critical configuration details. The blast radius extends to any application or service relying on the kube-rbac-proxy for authorization and authentication within the OpenShift environment. While the CVSS score is LOW, the potential for data exfiltration and privilege escalation warrants immediate attention.
CVE-2019-3818 was publicly disclosed on February 5, 2019. There is no indication of active exploitation campaigns targeting this vulnerability. Public proof-of-concept exploits are not widely available, but the theoretical possibility of exploitation remains. The vulnerability is not currently listed on the CISA KEV catalog.
Organizations utilizing Red Hat OpenShift Container Platform with kube-rbac-proxy versions prior to 0.4.1 are at risk. This includes environments relying on OpenShift's built-in RBAC features and those with custom applications integrated with the platform's authentication and authorization mechanisms.
• kubernetes / server:
kubectl get pods -n kube-system | grep kube-rbac-proxy• kubernetes / server:
kubectl describe pod <kube-rbac-proxy-pod> -n kube-system | grep -i tls• kubernetes / server:
journalctl -u kube-rbac-proxy -f | grep -i "TLS configuration"disclosure
漏洞利用状态
EPSS
0.07% (23% 百分位)
CVSS 向量
The primary mitigation for CVE-2019-3818 is upgrading kube-rbac-proxy to version 0.4.1 or later. This version incorporates the necessary fixes to enforce secure TLS configurations. If an immediate upgrade is not feasible, consider implementing temporary workarounds such as deploying a Web Application Firewall (WAF) or reverse proxy in front of kube-rbac-proxy to restrict the use of weak ciphers and disable TLS 1.0. Regularly review and update TLS configurations to adhere to industry best practices. After upgrade, confirm proper TLS configuration by verifying cipher suite usage and TLS protocol version.
将 kube-rbac-proxy 更新到 0.4.1 或更高版本。这会修复 TLS 配置,以避免使用不安全的密码套件和 TLS 1.0,从而加强 TLS 连接的安全性。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2019-3818 is a LOW severity vulnerability in kube-rbac-proxy versions ≤0.4.1 allowing insecure ciphers and TLS 1.0, potentially compromising data encryption.
You are affected if you are using Red Hat OpenShift Container Platform with kube-rbac-proxy versions 0.4.1 or earlier.
Upgrade kube-rbac-proxy to version 0.4.1 or later. As a temporary workaround, implement WAF rules to restrict weak ciphers.
There's no current evidence of active exploitation, but the vulnerability remains a potential risk.
Refer to the Red Hat security advisory for details: https://access.redhat.com/security/cve/CVE-2019-3818