What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2022-08-24 16:15:09 | CVE-2021-4178 (lien direct) | A arbitrary code execution flaw was found in the Fabric 8 Kubernetes client affecting versions 5.0.0-beta-1 and above. Due to an improperly configured YAML parsing, this will allow a local and privileged attacker to supply malicious YAML. | Uber | ||
 |
2022-08-23 11:50:56 | A walk through Project Zero metrics (lien direct) | Posted by Ryan Schoen, Project Zerotl;drIn 2021, vendors took an average of 52 days to fix security vulnerabilities reported from Project Zero. This is a significant acceleration from an average of about 80 days 3 years ago.In addition to the average now being well below the 90-day deadline, we have also seen a dropoff in vendors missing the deadline (or the additional 14-day grace period). In 2021, only one bug exceeded its fix deadline, though 14% of bugs required the grace period.Differences in the amount of time it takes a vendor/product to ship a fix to users reflects their product design, development practices, update cadence, and general processes towards security reports. We hope that this comparison can showcase best practices, and encourage vendors to experiment with new policies.This data aggregation and analysis is relatively new for Project Zero, but we hope to do it more in the future. We encourage all vendors to consider publishing aggregate data on their time-to-fix and time-to-patch for externally reported vulnerabilities, as well as more data sharing and transparency in general. Overview For nearly ten years, Google’s Project Zero has been working to make it more difficult for bad actors to find and exploit security vulnerabilities, significantly improving the security of the Internet for everyone. In that time, we have partnered with folks across industry to transform the way organizations prioritize and approach fixing security vulnerabilities and updating people’s software. To help contextualize the shifts we are seeing the ecosystem make, we looked back at the set of vulnerabilities Project Zero has been reporting, how a range of vendors have been responding to them, and then attempted to identify trends in this data, such as how the industry as a whole is patching vulnerabilities faster. For this post, we look at fixed bugs that were reported between January 2019 and December 2021 (2019 is the year we made changes to our disclosure policies and also began recording more detailed metrics on our reported bugs). The data we'll be referencing is publicly available on the Project Zero Bug Tracker, and on various open source project repositories (in the case of the data used below to track the timeline of open-source browser bugs). There are a number of caveats with our data, the largest being that we'll be looking at a small number of samples, so differences in numbers may or may not be statistically significant. Also, the direction of Project Zero's research is almost entirely influenced by the choices of individual researchers, so changes in our researc | Vulnerability Patching | Uber | ★★ |
|
2022-08-18 19:15:14 | CVE-2022-35976 (lien direct) | The GitOps Tools Extension for VSCode relies on kubeconfigs in order to communicate with Kubernetes clusters. A specially crafted kubeconfig leads to arbitrary code execution on behalf of the user running VSCode. Users relying on kubeconfigs that are generated or altered by other processes or users are affected by this issue. Please note that the vulnerability is specific to this extension, and the same kubeconfig would not result in arbitrary code execution when used with kubectl. Using only trust-worthy kubeconfigs is a safe mitigation. However, updating to the latest version of the extension is still highly recommended. | Vulnerability Guideline | Uber | |
 |
2022-08-18 08:00:00 | Ukraine and the fragility of agriculture security (lien direct) |  By Joe Marshall.The war in Ukraine has had far-reaching global implications and one of the most immediate effects felt will be on the global supply chain for food. This war-induced fragility has exposed the weaknesses of how we feed ourselves globally. Ransomware cartels and other adversaries are well aware of this and are actively exploiting that fragility. For the past six years, Cisco Talos has been actively involved in assisting public and private institutions in Ukraine to defend themselves against state-sponsored actors. Our involvement stretches the gamut from commercial to critical infrastructure, to election security. Our presence has afforded us unique opportunities and observations about cybersecurity in a macro and micro way. Ukraine has been a frequent victim of state-sponsored cyber attacks aimed at critical infrastructures like power and transportation. Talos is proud to stand with our partners in Ukraine and help defend their critical networks and help users there maintain access to necessary services. Now that Russia has invaded Ukraine, those threats have escalated to kinetic attacks that are wreaking havoc on a critical element of our world: agriculture and our global food supply chain. Even worse is the implications this war will have for future cyber attacks, as fragility is considered a lucrative element in deciding victimology by threat actors like ransomware cartels. To truly grasp the implications of the war in Ukraine, we have to examine how vital Ukrainian agriculture feeds the world, the current state of affairs, and what this means for the global cybersecurity posture to protect agricultural assets. Where there is weakness, there is opportunityRansomware cartels and their affiliates are actively targeting the agricultural industry. Moreover, these actors have done their homework and are targeting agricultural companies during the two times of the year where they cannot suffer disruptions: planting and harvesting. Per the published FBI PIN Alert: “Cyber actors may perceive cooperatives as lucrative targets with a willingness to pay due to the time-sensitive role they play in agricultural production.” This is far from unusual for these adversaries - they are shrewd and calculating, and understand their victims' weaknesses and industries. H |
Ransomware Threat Guideline Cloud | NotPetya Uber APT 37 APT 32 APT 28 APT 10 APT 21 Guam | |
 |
2022-08-16 07:53:06 | Les déploiements dispersés de Kubernetes risquent d\'être complexes, coûteux et de provoquer des pertes de données (lien direct) | Une récente étude menée par Veritas Technologies révèle que les entreprises ne parviennent pas à tirer parti des opportunités offertes par des stratégies conjointes dédiées aux déploiements Kubernetes. Dès lors, cela laisse les équipes DevOps et projet résoudre seules les problématiques qui en découlent, notamment en matière de protection des données. D'après l'étude, près d'un tiers des entreprises françaises (27 %) auraient déjà déployé la technologie Kubernetes pour des applications critiques. Cependant, (...) - Investigations | Uber | ||
 |
2022-08-15 11:48:00 | Google Boosts Bug Bounty Rewards for Linux Kernel Vulnerabilities (lien direct) | Google is once again boosting the maximum bounty payouts for Linux vulnerabilities reported as part of its open-source Kubernetes-based capture-the-flag (CTF) vulnerability rewards program (VRP). | Vulnerability | Uber | |
 |
2022-08-10 13:28:10 | Comment choisir sa machine à tuber ? (lien direct) | >Lorsque vous décidez d'acheter une machine à tuber, vous voulez surtout qu'elle soit robuste et qu'elle peut servir pendant de nombreuses années. Mais aujourd'hui, vu le nombre de modèles de machines à tuber sur le marché, ce n'est pas évident de faire un choix. Donc, nous avons décidé de vous donner quelques astuces et quelques […] The post Comment choisir sa machine à tuber ? first appeared on UnderNews. | Uber | ||
 |
2022-08-10 12:00:24 | Making Linux Kernel Exploit Cooking Harder (lien direct) | Posted by Eduardo Vela, Exploit Critic Cover of the medieval cookbook. Title in large letters kernel Exploits. Adorned. Featuring a small penguin. 15th century. Color. High quality picture. Private collection. Detailed.The Linux kernel is a key component for the security of the Internet. Google uses Linux in almost everything, from the computers our employees use, to the products people around the world use daily like Chromebooks, Android on phones, cars, and TVs, and workloads on Google Cloud. Because of this, we have heavily invested in Linux's security - and today, we're announcing how we're building on those investments and increasing our rewards.In 2020, we launched an open-source Kubernetes-based Capture-the-Flag (CTF) project called, kCTF. The kCTF Vulnerability Rewards Program (VRP) lets researchers connect to our Google Kubernetes Engine (GKE) instances, and if they can hack it, they get a flag, and are potentially rewarded. All of GKE and its dependenci |
Hack | Uber | |
 |
2022-08-10 10:00:00 | Are cloud containers a sugar-coated threat? (lien direct) | This blog was written by an independent guest blogger. Containerization is a rapidly evolving technology in cloud-native applications. Just like computing systems, containers consist of packages of software programs with all the vital elements like binaries, files, and libraries for running an application in the environment from anywhere. Containers are lightweight, and DevOps teams develop applications and deploy services using them. Moreover, organizations also use these containers to deploy and scale the DevOps infrastructure like the CI/CD tools. A report reveals that by 2022, organizations are likely to run 24% of their workload on containers. However, despite the benefits containers offer, it doesn’t mean they are completely secure. A study revealed that 87% of organizations had deployed containers in their production, while it's found that 94% had experienced at least one security incident. Another research finds that 45% of organizations have delayed or slowed down their application deployment process because of container security issues. All these issues can cause organizations to slow down their transformation journey and bear financial and reputational loss. To avoid such circumstances, organizations need to be aware of cloud container threats and learn how to minimize risks. Why are cloud containers becoming a growing threat? Containerization is a fast-moving trend that plays a pivotal role in improving agility and boosting innovation and is necessary for application development. The adoption of containers has soared in recent years and will continue to rise - and why not, as it transforms how an organization deploys IT infrastructure. Gartner predicts that by 2023, 70% of organizations will use containerized applications. In a survey, the Cloud-Native Computing Foundation (CFNC) finds that 96% of enterprises have evaluated or actively use Kubernetes. Besides this, 68% of the IT leaders in the Red Hat State of Enterprise Open Source Report for 2022 say that container technology is on the level of other important technologies, like Artificial Intelligence and Machine Learning. Container adoption comes with great advantages, but can also pose cybersecurity threats and challenges that adversely impact organizations. Enterprises who depend on container technology but fail to identify the security vulnerabilities and implement mitigation measures compromise their sensitive business data, including customer data. The situation becomes even more dire since most of these threats can’t be mitigated through endpoint security tools such as proxies or VPNs. Here are some of the reasons cloud containers are becoming a threat to organizations: Human error Hackers can compromise container technology in the cloud in several ways. | Malware Vulnerability Threat Guideline | Uber | |
 |
2022-08-06 10:46:21 | CISO workshop slides (lien direct) | A glossy, nicely-constructed and detailed PowerPoint slide deck by Microsoft Security caught my beady this morning. The title 'CISO Workshop: Security Program and Strategy' with 'Your Name Here' suggests it might be a template for use in a workshop/course bringing CISOs up to speed on the governance, strategic and architectural aspects of information security, but in fact given the amount of technical detail, it appears to be aimed at informing IT/technology managers about IT or cybersecurity, specifically. Maybe it is intended for newly-appointed CISOs or more junior managers who aspire to be CISOs, helping them clamber up the pyramid (slide 87 of 142): | Malware Vulnerability Threat Patching Guideline Medical Cloud | Uber APT 38 APT 37 APT 28 APT 19 APT 15 APT 10 APT 34 Guam | |
|
2022-08-04 22:15:08 | CVE-2022-35930 (lien direct) | PolicyController is a utility used to enforce supply chain policy in Kubernetes clusters. In versions prior to 0.2.1 PolicyController will report a false positive, resulting in an admission when it should not be admitted when there is at least one attestation with a valid signature and there are NO attestations of the type being verified (--type defaults to "custom"). An example image that can be used to test this is `ghcr.io/distroless/static@sha256:dd7614b5a12bc4d617b223c588b4e0c833402b8f4991fb5702ea83afad1986e2`. Users should upgrade to version 0.2.1 to resolve this issue. There are no workarounds for users unable to upgrade. | Uber | ||
 |
2022-08-04 15:41:09 | Scammers Sent Uber to Take Elderly Lady to the Bank (lien direct) | Email scammers sent an Uber to the home of an 80-year-old woman who responded to a well-timed email scam, in a bid to make sure she went to the bank and wired money to the fraudsters. In this case, the woman figured out she was being scammed before embarking for the bank, but her story is a chilling reminder of how far crooks will go these days to rip people off. | Uber Uber | ||
|
2022-08-02 08:56:51 | Elastic annonce des améliorations apportées à la recherche et à la réplication inter-clusters (lien direct) | Elastic a amélioré ses fonctionnalités de recherche et de réplication inter-clusters. L'interopérabilité entre les déploiements autogérés et Elastic Cloud est également maintenant disponible pour tous. Les utilisateurs peuvent rechercher facilement des données dans plusieurs clusters Elasticsearch déployés sur site, sur Kubernetes et dans le cloud. La recherche inter-clusters permet aux utilisateurs de trouver des données dans plusieurs clusters et de les visualiser dans une vue cohérente afin (...) - Produits | Uber | ★★★★ | |
 |
2022-07-29 16:44:16 | To settle with the DoJ, Uber must confess to a cover-up. And it did. (lien direct) | The 2016 Uber data breach affected the personal information of 57 million people. And then the company covered it all up. | Data Breach | Uber Uber | |
|
2022-07-29 11:02:43 | Mirantis lance Lens Pro en ajoutant des fonctionnalités avancées (lien direct) | Mirantis annonce Lens Pro. Réservées aux utilisateurs en entreprise, ses fonctionnalités simplifient l'expérience des développeurs travaillant avec Kubernetes : ont ainsi été ajoutés, une assistance en direct à la demande, une configuration aisée pour l'analyse des images de conteneurs et le reporting des vulnérabilités, et un cluster Kubernetes local intégré. Lens fait disparaître la complexité de Kubernetes, facilitant par là-même son adoption par le plus grand nombre de développeurs. Avec Lens, les (...) - Produits | Uber | ||
 |
2022-07-27 20:12:10 | Uber\'s former head of security faces fraud charges after allegedly covering up data breach (lien direct) | The former Chief Security Officer of Uber is facing wire fraud charges over allegations that he covered up a data breach that saw hackers steal the records of 57 million passengers and drivers. Read more in my article on the Hot for Security blog. | Data Breach | Uber Uber | |
|
2022-07-27 08:01:19 | Mirantis rachète amazee.io (lien direct) | Mirantis a racheté amazee.io, prestataire d'envergure mondiale spécialisé dans la diffusion d'applications web pour Kubernetes. amazee.io est l'unique plateforme de diffusion d'applications ZeroOps conçue par, et pour des développeurs afin de les décharger du déploiement dans le cloud, des migrations et des autres opérations d'exploitation. La société éponyme a été fondée en 2017 dans l'optique d'améliorer l'expérience des développeurs, en automatisant intégralement les opérations concernant les applications (...) - Business | Uber | ||
 |
2022-07-27 06:09:00 | Teleport features passwordless access with new access plane update (lien direct) | Teleport, an open source platform designed to provide zero trust access management applications, has announced the latest version of its unified access plane, Teleport 10, which features passwordless access as a single sign-on (SSO) infrastructure access solution.Teleport's unified access plane is an open source identity-based infrastructure access platform that unifies secure access to servers, Kubernetes clusters, applications and databases.To read this article in full, please click here | Uber | ||
 |
2022-07-26 15:15:00 | Uber Settles 2016 Hacking Case With DoJ (lien direct) | The ride-sharing giant has agreed to help the DoJ prosecute its former chief security officer in exchange for escaping prosecution itself | Uber | ||
 |
2022-07-26 11:34:02 | Uber Admits Covering Up 2016 Data Breach That Exposed 57M Users\' Data (lien direct) | Uber has admitted to covering up a massive cybersecurity attack that took place in October 2016, exposing the confidential data of 57 million customers and drivers, as part of a settlement with the US Department of Justice in order to avoid prosecution. More on the story here: https://www.theverge.com/2022/7/25/23277161/uber-2016-data-breach-settlement-cover-up | Data Breach | Uber Uber | |
|
2022-07-25 13:20:58 | Uber Settles With Federal Investigators Over 2016 Data Breach Coverup (lien direct) | Uber has entered a non-prosecution agreement to resolve a criminal investigation into the manner in which the company handled a 2016 data breach that impacted 57 million users and drivers. | Data Breach | Uber | |
 |
2022-07-19 14:00:00 | Protecting Against Kubernetes-Borne Ransomware (lien direct) | The conventional wisdom that virtual container environments were somehow immune from malware and hackers has been upended. | Ransomware Malware | Uber | |
|
2022-07-12 22:15:08 | CVE-2022-31102 (lien direct) | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with 2.3.0 and prior to 2.3.6 and 2.4.5 is vulnerable to a cross-site scripting (XSS) bug which could allow an attacker to inject arbitrary JavaScript in the `/auth/callback` page in a victim's browser. This vulnerability only affects Argo CD instances which have single sign on (SSO) enabled. The exploit also assumes the attacker has 1) access to the API server's encryption key, 2) a method to add a cookie to the victim's browser, and 3) the ability to convince the victim to visit a malicious `/auth/callback` link. The vulnerability is classified as low severity because access to the API server's encryption key already grants a high level of access. Exploiting the XSS would allow the attacker to impersonate the victim, but would not grant any privileges which the attacker could not otherwise gain using the encryption key. A patch for this vulnerability has been released in the following Argo CD versions 2.4.5 and 2.3.6. There is currently no known workaround. | Tool Vulnerability | Uber | |
|
2022-07-12 22:15:08 | CVE-2022-31105 (lien direct) | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 0.4.0 and prior to 2.2.11, 2.3.6, and 2.4.5 is vulnerable to an improper certificate validation bug which could cause Argo CD to trust a malicious (or otherwise untrustworthy) OpenID Connect (OIDC) provider. A patch for this vulnerability has been released in Argo CD versions 2.4.5, 2.3.6, and 2.2.11. There are no complete workarounds, but a partial workaround is available. Those who use an external OIDC provider (not the bundled Dex instance), can mitigate the issue by setting the `oidc.config.rootCA` field in the `argocd-cm` ConfigMap. This mitigation only forces certificate validation when the API server handles login flows. It does not force certificate verification when verifying tokens on API calls. | Tool Vulnerability | Uber | |
|
2022-07-12 10:26:58 | HID Global et le Laboratoire Hubert Curien lancent un projet de recherche commun sur les documents d\'identité sécurisés pour les citoyens (lien direct) | HID Global annonce la création d'un laboratoire de recherche commun avec le Laboratoire Hubert Curien, basé en France, nommé Laboratoire Lasers, Matériaux et Couleurs pour les Documents d'Identité Citoyenne, ou LAMCID. Le Laboratoire Hubert Curien est une unité mixte de recherche de l'Université Jean Monnet, du Centre National de la Recherche et de l'Institut d'Optique. Le LAMCID accueillera des experts de HID Global et d'Hubert Curien pour mener divers projets conjoints visant à réduire la (...) - Business | Uber | ||
 |
2022-07-11 19:45:28 | Uber emails: Exec admits “we\'re not legal,” another claims we\'re all “pirates” (lien direct) | An Uber data leak made public more than 124,000 confidential files. | Uber Uber | ||
 |
2022-07-11 15:54:32 | Reported EKS IAM Authenticator Issue (lien direct) | Initial Publication Date: 2022/07/11 9:00 PST A security researcher recently reported an issue with the AWS IAM Authenticator for Kubernetes, used by Amazon Elastic Kubernetes Service (EKS). The researcher identified a query parameter validation issue within the authenticator plugin when configured to use the “AccessKeyID” template parameter within query strings. This issue could have permitted a knowledgeable attacker to escalate privileges within a Kubernetes cluster. Customers who do not use the “AccessKeyID” parameter are not affected by this issue. As of June 28, 2022, all EKS clusters worldwide have been updated with a new version of the AWS IAM Authenticator for Kubernetes, containing a fix for this issue. Customers who use the AWS IAM Authenticator for Kubernetes within Amazon EKS do not need to take any action to protect themselves. Customers who host and manage their own Kubernetes clusters, and who use the authenticator plugin's “AccessKeyID” template parameter should update the AWS IAM Authenticator for Kubernetes to version 0.5.9. We would like to thank Lightspin for reporting this issue. Security-related questions or concerns can be brought to our attention via aws-security@amazon.com. | Uber | ★★ | |
|
2022-07-11 08:40:19 | Tech support scammers caught by their own cameras (lien direct) | >A Youtuber has hacked into the CCTV cameras of an office used by tech support scammers and recorded them being arrested by the police. | Uber | ||
 |
2022-07-11 06:45:08 | Leaked Uber docs reveal frequent use of \'kill switch\' to deactivate tech, thwart investigators (lien direct) | Staff told to tell cops that the IT team was in San Francisco, asleep, and couldn't restore systems A data leak from ride-sharing app Uber revealed activities allegedly geared to avoid regulation and law enforcement – including a "kill switch" that would remotely cut computer access to servers at its headquarters in San Francisco in case of a raid – according to weekend media.… | Uber Uber | ||
 |
2022-07-10 16:00:32 | Uber Files: Massive leak reveals how top politicians secretly helped Uber (lien direct) | Emmanuel Macron is among leaders who helped the ride-hailing company disrupt new markets. | Guideline | Uber Uber | |
|
2022-07-01 17:35:43 | YTStealer targets YouTube content creators (lien direct) | >We take a look at reports of scammers targeting Youtuber's channels with malware called YTStealer, that eats authentication cookies. | Malware | Uber | |
|
2022-06-30 17:15:07 | CVE-2022-22472 (lien direct) | IBM Spectrum Protect Plus Container Backup and Restore (10.1.5 through 10.1.10.2 for Kubernetes and 10.1.7 through 10.1.10.2 for Red Hat OpenShift) could allow a remote attacker to bypass IBM Spectrum Protect Plus role based access control restrictions, caused by improper disclosure of session information. By retrieving the logs of a container an attacker could exploit this vulnerability to bypass login security of the IBM Spectrum Protect Plus server and gain unauthorized access based on the permissions of the IBM Spectrum Protect Plus user to the vulnerable Spectrum Protect Plus server software. IBM X-Force ID: 225340. | Vulnerability | Uber | |
|
2022-06-29 22:25:52 | YouTube content creator credentials are under siege by YTStealer malware (lien direct) | Researchers unearth suspected credential-stealer service targeting YouTubers. | Malware | Uber | |
|
2022-06-29 16:10:18 | Kubernetes API: Over 900,000 Exposures Found Across The Internet (lien direct) | Cyble Research Labs observed over 900,000 Kubernetes exposures across the internet. … it emphasizes the existence of seemingly simple misconfiguration practices that might make companies lucrative targets for TAs in the future. Kubernetes, often known as K8s, is an open-source system for automating containerized application deployment, scaling, and administration. K8s incorporates virtual and real machines […] | Uber | ||
|
2022-06-29 14:05:08 | Ex-Uber security chief accused of hushing database breach must face fraud charges (lien direct) | Company execs and their lawyers are paying close attention to this one A US judge yesterday threw out an attempt to dismiss wire fraud charges against a former Uber employee accused of trying to cover up a computer crime.… | Uber Uber | ||
|
2022-06-28 17:00:00 | Nearly One Million Misconfigured Kubernetes Exposed That Could Cause Data Breaches (lien direct) | Misconfiguration practices might make companies lucrative targets for threat actors | Threat | Uber | |
 |
2022-06-28 06:39:23 | Over 900,000 Kubernetes instances found exposed online (lien direct) | Over 900,000 misconfigured Kubernetes clusters were found exposed on the Internet to potentially malicious scans, some even vulnerable to data-exposing cyberattacks. [...] | Uber | ||
|
2022-06-27 22:15:09 | CVE-2022-31098 (lien direct) | Weave GitOps is a simple open source developer platform for people who want cloud native applications, without needing Kubernetes expertise. A vulnerability in the logging of Weave GitOps could allow an authenticated remote attacker to view sensitive cluster configurations, aka KubeConfg, of registered Kubernetes clusters, including the service account tokens in plain text from Weave GitOps's pod logs on the management cluster. An unauthorized remote attacker can also view these sensitive configurations from external log storage if enabled by the management cluster. This vulnerability is due to the client factory dumping cluster configurations and their service account tokens when the cluster manager tries to connect to an API server of a registered cluster, and a connection error occurs. An attacker could exploit this vulnerability by either accessing logs of a pod of Weave GitOps, or from external log storage and obtaining all cluster configurations of registered clusters. A successful exploit could allow the attacker to use those cluster configurations to manage the registered Kubernetes clusters. This vulnerability has been fixed by commit 567356f471353fb5c676c77f5abc2a04631d50ca. Users should upgrade to Weave GitOps core version v0.8.1-rc.6 or newer. There is no known workaround for this vulnerability. | Vulnerability | Uber | |
|
2022-06-27 21:15:07 | CVE-2022-31077 (lien direct) | KubeEdge is built upon Kubernetes and extends native containerized application orchestration and device management to hosts at the Edge. In affected versions a malicious message response from KubeEdge can crash the CSI Driver controller server by triggering a nil-pointer dereference panic. As a consequence, the CSI Driver controller will be in denial of service. This bug has been fixed in Kubeedge 1.11.0, 1.10.1, and 1.9.3. Users should update to these versions to resolve the issue. At the time of writing, no workaround exists. | Uber | ||
|
2022-06-27 20:15:08 | CVE-2022-31076 (lien direct) | KubeEdge is built upon Kubernetes and extends native containerized application orchestration and device management to hosts at the Edge. In affected versions a malicious message can crash CloudCore by triggering a nil-pointer dereference in the UDS Server. Since the UDS Server only communicates with the CSI Driver on the cloud side, the attack is limited to the local host network. As such, an attacker would already need to be an authenticated user of the Cloud. Additionally it will be affected only when users turn on the unixsocket switch in the config file cloudcore.yaml. This bug has been fixed in Kubeedge 1.11.0, 1.10.1, and 1.9.3. Users should update to these versions to resolve the issue. Users unable to upgrade should sisable the unixsocket switch of CloudHub in the config file cloudcore.yaml. | Uber | ||
|
2022-06-27 20:15:08 | CVE-2022-31036 (lien direct) | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v1.3.0 are vulnerable to a symlink following bug allowing a malicious user with repository write access to leak sensitive YAML files from Argo CD's repo-server. A malicious Argo CD user with write access for a repository which is (or may be) used in a Helm-type Application may commit a symlink which points to an out-of-bounds file. If the target file is a valid YAML file, the attacker can read the contents of that file. Sensitive files which could be leaked include manifest files from other Applications' source repositories (potentially decrypted files, if you are using a decryption plugin) or any YAML-formatted secrets which have been mounted as files on the repo-server. Patches for this vulnerability has been released in the following Argo CD versions: v2.4.1, v2.3.5, v2.2.10 and v2.1.16. If you are using a version >=v2.3.0 and do not have any Helm-type Applications you may disable the Helm config management tool as a workaround. | Tool Vulnerability | Uber | |
|
2022-06-27 19:15:08 | CVE-2022-31035 (lien direct) | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting (XSS) bug allowing a malicious user to inject a `javascript:` link in the UI. When clicked by a victim user, the script will execute with the victim's permissions (up to and including admin). The script would be capable of doing anything which is possible in the UI or via the API, such as creating, modifying, and deleting Kubernetes resources. A patch for this vulnerability has been released in the following Argo CD versions: v2.4.1, v2.3.5, v2.2.10 and v2.1.16. There are no completely-safe workarounds besides upgrading. | Tool Vulnerability | Uber | |
|
2022-06-27 19:15:08 | CVE-2022-31034 (lien direct) | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v0.11.0 are vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or UI. The vulnerabilities are due to the use of insufficiently random values in parameters in Oauth2/OIDC login flows. In each case, using a relatively-predictable (time-based) seed in a non-cryptographically-secure pseudo-random number generator made the parameter less random than required by the relevant spec or by general best practices. In some cases, using too short a value made the entropy even less sufficient. The attacks on login flows which are meant to be mitigated by these parameters are difficult to accomplish but can have a high impact potentially granting an attacker admin access to Argo CD. Patches for this vulnerability has been released in the following Argo CD versions: v2.4.1, v2.3.5, v2.2.10 and v2.1.16. There are no known workarounds for this vulnerability. | Tool Vulnerability | Uber | |
|
2022-06-25 08:15:09 | CVE-2022-31016 (lien direct) | Argo CD is a declarative continuous deployment for Kubernetes. Argo CD versions v0.7.0 and later are vulnerable to an uncontrolled memory consumption bug, allowing an authorized malicious user to crash the repo-server service, resulting in a Denial of Service. The attacker must be an authenticated Argo CD user authorized to deploy Applications from a repository which contains (or can be made to contain) a large file. The fix for this vulnerability is available in versions 2.3.5, 2.2.10, 2.1.16, and later. There are no known workarounds. Users are recommended to upgrade. | Vulnerability | Uber | |
|
2022-06-20 22:05:15 | Why 93% Of Kubernetes Users Struggle With Security (lien direct) | Following the news that: 93% of Kubernetes users struggle with security 2022 state of Kubernetes security report (redhat.com) | Uber | ||
|
2022-06-14 12:00:00 | SBOM in Action: finding vulnerabilities with a Software Bill of Materials (lien direct) | Posted by Brandon Lum and Oliver Chang, Google Open Source Security TeamThe past year has seen an industry-wide effort to embrace Software Bills of Materials (SBOMs)-a list of all the components, libraries, and modules that are required to build a piece of software. In the wake of the 2021 Executive Order on Cybersecurity, these ingredient labels for software became popular as a way to understand what's in the software we all consume. The guiding idea is that it's impossible to judge the risks of particular software without knowing all of its components-including those produced by others. This increased interest in SBOMs saw another boost after the National Institute of Standards and Technology (NIST) released its Secure Software Development Framework, which requires SBOM information to be available for software. But now that the industry is making progress on methods to generate and share SBOMs, what do we do with them?Generating an SBOM is only one half of the story. Once an SBOM is available for a given piece of software, it needs to be mapped onto a list of known vulnerabilities to know which components could pose a threat. By connecting these two sources of information, consumers will know not just what's in what's in their software, but also its risks and whether they need to remediate any issues.In this blog post, we demonstrate the process of taking an SBOM from a large and critical project-Kubernetes-and using an open source tool to identify the vulnerabilities it contains. Our example's success shows that we don't need to wait for SBOM generation to reach full maturity before we begin mapping SBOMs to common vulnerability databases. With just a few updates from SBOM creators to address current limitations in connecting the two sources of data, this process is poised to become easily within reach of the average software consumer. OSV: Connecting SBOMs to vulnerabilitiesThe following example uses Kubernetes, a major project that makes its SBOM available using the Software Package Data Exchange (SPDX) format-an international open standard (ISO) for communicating SBOM information. The same idea should apply to any project that makes its SBOM available, and for projects that don't, you can generate your own SBOM using the same bom tool Kubernetes created.We have chosen to map the SBOM to the Open Source Vulnerabilities (OSV) database, which describes vulnerabilities in a format that was specifically designed to map to open source package versions or commit hashes. The OSV database excels here as it provides a standardized format and aggregates information across multiple ecosystems (e.g., Python, Golang, Rust) and databases (e.g., Github Advisory Database (GHSA), Global Security Database (GSD)).To connect the SBOM to the database, we'll use the SPDX spdx-to-osv tool. This open source tool takes in an SPDX SBOM document, queries the OSV database of vulnerabilities, and returns an enumeration of vulnerabilities present in the software's declared components.Example: Kubernetes' SBOMThe first step is to download Kubernetes' SBOM, which is publicly available and contains information on the project, dependencies, versions, and | Tool Vulnerability | Uber | |
|
2022-06-13 20:15:07 | CVE-2022-31054 (lien direct) | Argo Events is an event-driven workflow automation framework for Kubernetes. Prior to version 1.7.1, several `HandleRoute` endpoints make use of the deprecated `ioutil.ReadAll()`. `ioutil.ReadAll()` reads all the data into memory. As such, an attacker who sends a large request to the Argo Events server will be able to crash it and cause denial of service. A patch for this vulnerability has been released in Argo Events version 1.7.1. | Vulnerability | Uber | |
|
2022-06-13 16:15:08 | CVE-2022-31055 (lien direct) | kCTF is a Kubernetes-based infrastructure for capture the flag (CTF) competitions. Prior to version 1.6.0, the kctf cluster set-src-ip-ranges was broken and allowed traffic from any IP. The problem has been patched in v1.6.0. As a workaround, those who want to test challenges privately can mark them as `public: false` and use `kctf chal debug port-forward` to connect. | Uber | ||
|
2022-06-09 14:15:08 | CVE-2022-31030 (lien direct) | containerd is an open source container runtime. A bug was found in the containerd's CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the `ExecSync` API. This can cause containerd to consume all available memory on the computer, denying service to other legitimate workloads. Kubernetes and crictl can both be configured to use containerd's CRI implementation; `ExecSync` may be used when running probes or when executing processes via an "exec" facility. This bug has been fixed in containerd 1.6.6 and 1.5.13. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used. | Uber | ★★★★★ | |
 |
2022-06-09 00:00:00 | Amazon EKS vs Azure Kubernetes Service (lien direct) | Managed Kubernetes services help organizations deploy, configure, and manage Kubernetes clusters. This article compares two of the biggest service providers: Amazon EKS and Azure Kubernetes Services. | Uber |
To see everything:
Our RSS (filtrered)
