Advisory on Kubernetes Image Builder Vulnerabilities

A security researcher discovered a security issue in Kubernetes where an unauthorized user may be able to SSH to a node VM, which uses a VM image built with the Kubernetes Image Builder project. The vulnerable images contain a pre-configured user with a weak default password, which can be accessed via SSH. The user can then use "sudo" to escalate privileges to root.

The following are the vulnerabilities found in Kubernetes Image Builder:

The most severe of these vulnerabilities is CVE-2024-9486, which is classified as Critical severity with a CVSS score of 9.8.

Impacted IONOS Cloud Products

Risk on IONOS Cloud user environment

The IONOS-provided managed Kubernetes environment is not based on Proxmox Image Builder, so CVE-2024-9486 does not impact our infrastructure and user environments. However, some parts of our infrastructure use QEMU to build clusters and are impacted by CVE-2024-9594. Even though CVE-2024-9594 is rated as medium, we consider this issue very low severity as we already have the required mitigation to prevent the mentioned attack vector on our infrastructure. At the moment, no active exploitation of these vulnerabilities is known.

What action has IONOS Cloud taken to mitigate the severity?

IONOS Cloud will apply the patch to the affected products and services soon. We will update the patching status once the process is complete.

What action can you take to mitigate the vulnerability?

IONOS Cloud owns the patching responsibility, and no action is required from the user.

How can I get help?

If you have further questions or concerns about this vulnerability, contact IONOS Cloud Support.