kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

add suggestions to audit blog

pull/37156/head
Rey Lejano 2022-10-04 15:36:49 -07:00
parent 2f031cbfa0
commit ed66bfdc60
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
content/en/blog/_posts/2022-10-05-current-state-2019-third-party-audit.md
View File

@ -38,11 +38,11 @@ commenting directly on the relevant issue.
| **\#** | **Title** | **Issue** | **Status** | | **\#** | **Title** | **Issue** | **Status** |
| ------ | ------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | ------ | ------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| 1 | hostPath PersistentVolumes enable PodSecurityPolicy bypass | [#81110](https://github.com/kubernetes/kubernetes/issues/81110) | closed, addressed by [kubernetes/website#15756](https://github.com/kubernetes/website/pull/15756) | | 1 | hostPath PersistentVolumes enable PodSecurityPolicy bypass | [#81110](https://github.com/kubernetes/kubernetes/issues/81110) | closed, addressed by [kubernetes/website#15756](https://github.com/kubernetes/website/pull/15756) and [kubernetes/kubernetes#109798](https://github.com/kubernetes/kubernetes/pull/109798) |
| 2 | Kubernetes does not facilitate certificate revocation | [#81111](https://github.com/kubernetes/kubernetes/issues/81111) | duplicate of [#18982](https://github.com/kubernetes/kubernetes/issues/18982) and **needs a KEP** | | 2 | Kubernetes does not facilitate certificate revocation | [#81111](https://github.com/kubernetes/kubernetes/issues/81111) | duplicate of [#18982](https://github.com/kubernetes/kubernetes/issues/18982) and **needs a KEP** |
| 3 | HTTPS connections are not authenticated | [#81112](https://github.com/kubernetes/kubernetes/issues/81112) | Largely left as an end user exercise in setting up the right configuration | | 3 | HTTPS connections are not authenticated | [#81112](https://github.com/kubernetes/kubernetes/issues/81112) | Largely left as an end user exercise in setting up the right configuration |
| 4 | <abbr title="Time-of-check to time-of-use bug">TOCTOU</abbr> when moving PID to manager's cgroup via kubelet | [#81113](https://github.com/kubernetes/kubernetes/issues/81113) | Requires Node access for successful exploitation. Fix needed | | 4 | <abbr title="Time-of-check to time-of-use bug">TOCTOU</abbr> when moving PID to manager's cgroup via kubelet | [#81113](https://github.com/kubernetes/kubernetes/issues/81113) | Requires Node access for successful exploitation. Fix needed |
| 5 | Improperly patched directory traversal in kubectl cp | [#76788](https://github.com/kubernetes/kubernetes/pull/76788) | closed, assigned [CVE-2019-11249](https://github.com/advisories/GHSA-v8c4-hw4j-x4pr), fixed in [#80436](https://github.com/kubernetes/kubernetes/pull/80436) | | 5 | Improperly patched directory traversal in `kubectl cp` | [#76788](https://github.com/kubernetes/kubernetes/pull/76788) | closed, assigned [CVE-2019-11249](https://github.com/advisories/GHSA-v8c4-hw4j-x4pr), fixed in [#80436](https://github.com/kubernetes/kubernetes/pull/80436) |
| 6 | Bearer tokens are revealed in logs | [#81114](https://github.com/kubernetes/kubernetes/issues/81114) | closed, assigned [CVE-2019-11250](https://github.com/advisories/GHSA-jmrx-5g74-6v2f), fixed in [#81330](https://github.com/kubernetes/kubernetes/pull/81330) | | 6 | Bearer tokens are revealed in logs | [#81114](https://github.com/kubernetes/kubernetes/issues/81114) | closed, assigned [CVE-2019-11250](https://github.com/advisories/GHSA-jmrx-5g74-6v2f), fixed in [#81330](https://github.com/kubernetes/kubernetes/pull/81330) |
| 7 | Seccomp is disabled by default | [#81115](https://github.com/kubernetes/kubernetes/issues/81115) | closed, addressed by [#101943](https://github.com/kubernetes/kubernetes/pull/101943) | | 7 | Seccomp is disabled by default | [#81115](https://github.com/kubernetes/kubernetes/issues/81115) | closed, addressed by [#101943](https://github.com/kubernetes/kubernetes/pull/101943) |
| 8 | Pervasive world-accessible file permissions | [#81116](https://github.com/kubernetes/kubernetes/issues/81116) | [#112384](https://github.com/kubernetes/kubernetes/pull/112384) ( in progress) | | 8 | Pervasive world-accessible file permissions | [#81116](https://github.com/kubernetes/kubernetes/issues/81116) | [#112384](https://github.com/kubernetes/kubernetes/pull/112384) ( in progress) |
@ -121,7 +121,7 @@ benefits to fix a particular issue higher or lower.
| ------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------- | --------------- | ---------- | -------------------- | | ------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------- | --------------- | ---------- | -------------------- |
| Kubernetes does not facilitate certificate revocation | [#81111](https://github.com/kubernetes/kubernetes/issues/81111) | High | High | Medium | | Kubernetes does not facilitate certificate revocation | [#81111](https://github.com/kubernetes/kubernetes/issues/81111) | High | High | Medium |
| Use of InsecureSkipVerify and other TLS weaknesses | [#81119](https://github.com/kubernetes/kubernetes/issues/81119) | High | High | Medium | | Use of InsecureSkipVerify and other TLS weaknesses | [#81119](https://github.com/kubernetes/kubernetes/issues/81119) | High | High | Medium |
| Kubectl can cause a local Out Of Memory error with a malicious Pod specification | [#81123](https://github.com/kubernetes/kubernetes/issues/81123) | Medium | Medium | Medium | | `kubectl` can cause a local Out Of Memory error with a malicious Pod specification | [#81123](https://github.com/kubernetes/kubernetes/issues/81123) | Medium | Medium | Medium |
| Improper fetching of PIDs allows incorrect cgroup movement | [#81124](https://github.com/kubernetes/kubernetes/issues/81124) | Medium | Medium | Medium | | Improper fetching of PIDs allows incorrect cgroup movement | [#81124](https://github.com/kubernetes/kubernetes/issues/81124) | Medium | Medium | Medium |
| kubelet liveness probes can be used to enumerate host network | [#81129](https://github.com/kubernetes/kubernetes/issues/81129) | High | High | Medium | | kubelet liveness probes can be used to enumerate host network | [#81129](https://github.com/kubernetes/kubernetes/issues/81129) | High | High | Medium |
| API Server supports insecure TLS ciphersuites | [#81145](https://github.com/kubernetes/kubernetes/issues/81145) | Medium | Medium | Low | | API Server supports insecure TLS ciphersuites | [#81145](https://github.com/kubernetes/kubernetes/issues/81145) | Medium | Medium | Low |