A security researcher discovered a security issue in Kubernetes where an unauthorized user may be able to SSH to a node VM, which uses a VM image built with the Kubernetes Image Builder project. The vulnerable images contain a pre-configured user with a weak default password, which can be accessed via SSH. The user can then use "sudo" to escalate privileges to root.
The following are the vulnerabilities found in Kubernetes Image Builder:
CVE ID | Summary |
---|---|
The most severe of these vulnerabilities is CVE-2024-9486, which is classified as Critical severity with a CVSS score of 9.8.
Product Ranges | Product | Impacted | Mitigated | Patch Status |
---|---|---|---|---|
The IONOS-provided managed Kubernetes environment is not based on Proxmox Image Builder, so CVE-2024-9486 does not impact our infrastructure and user environments. However, some parts of our infrastructure use QEMU to build clusters and are impacted by CVE-2024-9594. Even though CVE-2024-9594 is rated as medium, we consider this issue very low severity as we already have the required mitigation to prevent the mentioned attack vector on our infrastructure. At the moment, no active exploitation of these vulnerabilities is known.
IONOS Cloud will apply the patch to the affected products and services soon. We will update the patching status once the process is complete.
IONOS Cloud owns the patching responsibility, and no action is required from the user.
If you have further questions or concerns about this vulnerability, contact IONOS Cloud Support.
This security issue has been rated Critical with a 9.8 CVSS score for images built with the Proxmox provider.
This security issue has been rated Medium with a 6.3 CVSS score for images built with Nutanix, OVA, QEMU, or raw providers.
Managed Service
Yes
No
Planned