Security release of dashboard v1.10.1 - CVE-2018-18264

security

#1

Hello Kubernauts,

Happy new year!

A security issue was discovered in kubernetes dashboard versions
v1.10.0 or older. The issue is High if you are using custom
certificates for the dashboard. Upgrading to v1.10.1 of the dashboard
is encouraged to fix this issue.

Am I vulnerable?

If you are running the kubernetes dashboard version that has login
functionality (v1.7.0 - v1.10.0) and you use custom certificates you
are vulnerable.

How can I mitigate the issue?

Delete the dashboard:

kubectl --namespace kube-system delete deployment kubernetes-dashboard

How do I upgrade?

Follow the installation instructions at

Vulnerability Details

The TLS secrets for a Kubernetes Dashboard can be obtained by visiting
https://[DASHBOARD_HOST]/api/v1/secret/kube-system/kubernetes-dashboard-certs.
This occurs even if you have authentication via token enabled on the
dashboard.

If you were using custom certificates for the dashboard those will
need to be revoked because they may have been compromised. If you are
not using custom certificates you are safe since the default behavior
is to generate certs and store them in-memory.

This is being updated in the kubernetes addons here:
https://github.com/kubernetes/kubernetes/pull/72495 and will be
cherry-picked to the next patch version of 1.13.

Thank you

Thank you to Tomek Rabczak for the find and Sebastian Florek for the
coordination in making this release.

Thanks,

Jess on behalf of the Kubernetes Product Security Team


#2