SB2024101727 - Multiple vulnerabilities in Kubernetes Image Builder
Published: October 17, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Use of default credentials (CVE-ID: CVE-2024-9486)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to default credentials are enabled during the image build process when building with Proxmox provider. A remote attacker can gain root access to the affected virtual machines.
2) Use of default credentials (CVE-ID: CVE-2024-9594)
The vulnerability allows a remote attacker to compromise the image build process.
The vulnerability exists due to default credentials are enabled during the image build process when using the Nutanix, OVA, QEMU or raw providers. A remote attacker with ability to reach the VM where the image build was happening can compromise the image during its build.
Remediation
Install update from vendor's website.
References
- https://github.com/kubernetes/kubernetes/issues/128006
- https://github.com/kubernetes-sigs/image-builder/pull/1595
- https://groups.google.com/g/kubernetes-security-announce/c/UKJG-oZogfA/m/Lu1hcnHmAQAJ
- https://github.com/kubernetes/kubernetes/issues/128007
- https://github.com/kubernetes-sigs/image-builder/pull/1596