New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2020-8559: Privilege escalation from compromised node to cluster #1732
Comments
Action required from @Azure/aks-pm |
I have two question. Could you tell me my concern? Q1. Why AKS isn't affected v1.17.7?My understand that affected versions is NOT included 1.17.7 in AKS.
But upstream issue is explained that v1.17.7 is affected. Why AKS isn't affected v1.17.7? Q2. How do I know that my cluster has been upgraded?If upgrade automatically, Can I check do upgrade? |
Q1: Q2: |
Thank you @palma21. Q3: Q4: |
Q3: It's cherry picking the upstream commit or using the fixed patch version depending on the situation. It's the same source code. |
Thank you for your quick reply. I understand very well. |
From kubernetes/kubernetes#92914:
Am I vulnerable?
You are only affected by this vulnerability if you treat the node as a security boundary, since clusters in AKS do not share certificate authorities and authentication credentials.
Note that this vulnerability requires an attacker to first compromise a node through separate means.
Affected ** Upstream ** Versions
Affected ** AKS ** Versions
AKS patches all GA kubernetes versions control plane components automatically.
How do I mitigate this vulnerability?
AKS will patch the control planes of its GA versions automatically. If you're on an AKS GA version no action is required.
If you're not in an AKS GA version please upgrade following:
https://docs.microsoft.com/en-us/azure/aks/upgrade-cluster
Fixed ** AKS ** Versions
If you're not in an AKS GA version please upgrade following: https://docs.microsoft.com/en-us/azure/aks/upgrade-cluster
The text was updated successfully, but these errors were encountered: