Summary
The image k8s.gcr.io/hyperkube:v1.12.1 used in the arbitrary Job *-secret-cleanup, which is deployed by the Helm chart bank-vaults/vault-helm-chart, contains over 500 Critical and High security vulnerabilities (as identified by the Trivy scanner). Since this image is hardcoded, it cannot be replaced without forking the Helm chart.
Details
The Docker image k8s.gcr.io/hyperkube:v1.12.1 is embedded within the *-secret-cleanup Job of the bank-vaults/vault-helm-chart. This image, as analyzed by the Trivy vulnerability scanner, contains over 500 Critical and High security vulnerabilities. These vulnerabilities include outdated libraries and packages that have known exploits, such as:
- CVE-2019-5736: A container escape vulnerability in
runc.
- CVE-2018-1002105: A privilege escalation vulnerability in the Kubernetes API server.
- CVE-2020-8554: Man-in-the-middle attacks due to inadequate validation in Kubernetes services.
The hardcoding of the image within the Helm chart complicates remediation efforts, as the only current solution would involve forking the Helm chart and manually updating the image references. Below is an example of where the image is specified within the Helm chart values:
|
image: "k8s.gcr.io/hyperkube:v1.12.1" |
PoC
To reproduce the vulnerability:
-
Setup Kubernetes Cluster: Deploy a Kubernetes cluster (e.g., using Minikube or any managed Kubernetes service).
-
Install Trivy: Install Trivy, the vulnerability scanner.
-
Scan the Image: Scan the k8s.gcr.io/hyperkube:v1.12.1 image using Trivy.
trivy image k8s.gcr.io/hyperkube:v1.12.1
-
Deploy Helm Chart: Deploy the bank-vaults/vault-helm-chart with default values.
helm install vault oci://ghcr.io/bank-vaults/helm-charts/vault
-
Check the Jobs: Inspect the *-secret-cleanup Job created by the Helm chart to confirm the image version.
kubectl get jobs -l job-name=*-secret-cleanup -o yaml
-
Validate Vulnerability Presence: Confirm the vulnerabilities reported by Trivy exist in the running container.
kubectl exec -it <pod-name> -- trivy image k8s.gcr.io/hyperkube:v1.12.1
Impact
This vulnerability poses significant risks, including but not limited to:
- Privilege Escalation: Vulnerabilities like CVE-2019-5736 and CVE-2018-1002105 can allow attackers to gain elevated privileges within the Kubernetes cluster, potentially compromising all resources managed by the cluster.
- Data Exposure: The presence of numerous critical vulnerabilities increases the likelihood of data breaches and unauthorized access to sensitive information stored within the cluster.
- Service Disruption: Exploiting these vulnerabilities could lead to denial-of-service attacks, disrupting the availability and reliability of services deployed within the Kubernetes cluster.
Who is impacted: Any organization or individual deploying the bank-vaults/vault-helm-chart that uses the *-secret-cleanup Job with the vulnerable image is at risk. This includes environments where security and compliance are critical, such as financial services, healthcare, and governmental applications.
It is crucial to address these vulnerabilities immediately by either updating the Helm chart to use a secure image version or forking the chart to allow for customizable image references.
JuryA Reporter
Summary
The image
k8s.gcr.io/hyperkube:v1.12.1used in the arbitrary Job*-secret-cleanup, which is deployed by the Helm chart bank-vaults/vault-helm-chart, contains over 500 Critical and High security vulnerabilities (as identified by the Trivy scanner). Since this image is hardcoded, it cannot be replaced without forking the Helm chart.Details
The Docker image
k8s.gcr.io/hyperkube:v1.12.1is embedded within the*-secret-cleanupJob of the bank-vaults/vault-helm-chart. This image, as analyzed by the Trivy vulnerability scanner, contains over 500 Critical and High security vulnerabilities. These vulnerabilities include outdated libraries and packages that have known exploits, such as:runc.The hardcoding of the image within the Helm chart complicates remediation efforts, as the only current solution would involve forking the Helm chart and manually updating the image references. Below is an example of where the image is specified within the Helm chart values:
vault-helm-chart/vault/templates/secret-cleanup.yaml
Line 22 in f5ca539
PoC
To reproduce the vulnerability:
Setup Kubernetes Cluster: Deploy a Kubernetes cluster (e.g., using Minikube or any managed Kubernetes service).
Install Trivy: Install Trivy, the vulnerability scanner.
Scan the Image: Scan the
k8s.gcr.io/hyperkube:v1.12.1image using Trivy.Deploy Helm Chart: Deploy the
bank-vaults/vault-helm-chartwith default values.Check the Jobs: Inspect the
*-secret-cleanupJob created by the Helm chart to confirm the image version.Validate Vulnerability Presence: Confirm the vulnerabilities reported by Trivy exist in the running container.
Impact
This vulnerability poses significant risks, including but not limited to:
Who is impacted: Any organization or individual deploying the bank-vaults/vault-helm-chart that uses the
*-secret-cleanupJob with the vulnerable image is at risk. This includes environments where security and compliance are critical, such as financial services, healthcare, and governmental applications.It is crucial to address these vulnerabilities immediately by either updating the Helm chart to use a secure image version or forking the chart to allow for customizable image references.