# Advisory on Kubernetes Image Builder Vulnerabilities
A security researcher discovered a security issue in Kubernetes where an unauthorized user may be able to SSH to a node VM, which uses a VM image built with the Kubernetes [Image Builder](https://github.com/kubernetes-sigs/image-builder) project. The vulnerable images contain a pre-configured user with a weak default password, which can be accessed via SSH. The user can then use "sudo" to escalate privileges to root.
The following are the vulnerabilities found in Kubernetes Image Builder:
| CVE ID | Summary |
| -------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| [CVE-2024-9486](https://github.com/kubernetes/kubernetes/issues/128006) | This security issue has been rated **Critical** with a **9.8** CVSS score for images built with the Proxmox provider. |
| [CVE-2024-9594](https://github.com/kubernetes/kubernetes/issues/128007) | This security issue has been rated **Medium** with a **6.3** CVSS score for images built with Nutanix, OVA, QEMU, or raw providers. |
The most severe of these vulnerabilities is [CVE-2024-9486](https://github.com/kubernetes/kubernetes/issues/128006), which is classified as **Critical** severity with a CVSS score of **9.8**.
## Impacted IONOS Cloud Products
| Product Ranges | Product | Impacted | Mitigated | Patch Status |
| --------------- | ---------------------------------------------------------------------------------------------- | -------- | --------- | ------------ |
| Managed Service | [Managed Kubernetes](/cloud/containers/managed-kubernetes.md) | Yes | Yes | Done |
## Risk on IONOS Cloud user environment
The IONOS Cloud-provided managed Kubernetes environment is not based on Proxmox Image Builder, so CVE-2024-9486 does not impact our infrastructure and user environments. However, some parts of our infrastructure use QEMU to build clusters and are impacted by CVE-2024-9594. Even though CVE-2024-9594 is rated as medium, we consider this issue very low severity as we already have the required mitigation to prevent the mentioned attack vector on our infrastructure. At the moment, no active exploitation of these vulnerabilities is known.
## What action has IONOS Cloud taken to mitigate the severity?
IONOS Cloud will apply the patch to the affected products and services soon. We will update the patching status once the process is complete.
## What action can you take to mitigate the vulnerability?
IONOS Cloud owns the patching responsibility, and no action is required from the user.
## How can I get help?
If you have further questions or concerns about this vulnerability, contact [IONOS Cloud Support](https://docs.ionos.com/cloud/support/general-information/contact-information).
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.ionos.com/cloud/security-safeguards/vulnerability-register/2024/cve-2024-9486.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.