# Advisory on Kubernetes Image Builder Vulnerabilities

A security researcher discovered a security issue in Kubernetes where an unauthorized user may be able to SSH to a node VM, which uses a VM image built with the Kubernetes [<mark style="color:blue;">Image Builder</mark>](https://github.com/kubernetes-sigs/image-builder) project. The vulnerable images contain a pre-configured user with a weak default password, which can be accessed via SSH. The user can then use "sudo" to escalate privileges to root.

The following are the vulnerabilities found in Kubernetes Image Builder:

| CVE ID                                                                                                   | Summary                                                                                                                             |
| -------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| [<mark style="color:blue;">CVE-2024-9486</mark>](https://github.com/kubernetes/kubernetes/issues/128006) | This security issue has been rated **Critical** with a **9.8** CVSS score for images built with the Proxmox provider.               |
| [<mark style="color:blue;">CVE-2024-9594</mark>](https://github.com/kubernetes/kubernetes/issues/128007) | This security issue has been rated **Medium** with a **6.3** CVSS score for images built with Nutanix, OVA, QEMU, or raw providers. |

The most severe of these vulnerabilities is [<mark style="color:blue;">CVE-2024-9486</mark>](https://github.com/kubernetes/kubernetes/issues/128006), which is classified as **Critical** severity with a CVSS score of **9.8**.

## Impacted IONOS Cloud Products

| Product Ranges  | Product                                                                                                                          | Impacted | Mitigated | Patch Status |
| --------------- | -------------------------------------------------------------------------------------------------------------------------------- | -------- | --------- | ------------ |
| Managed Service | [<mark style="color:blue;">Managed Kubernetes</mark>](https://docs.ionos.com/sections-test/guides/containers/managed-kubernetes) | Yes      | Yes       | Done         |

## Risk on IONOS Cloud user environment

The IONOS Cloud-provided managed Kubernetes environment is not based on Proxmox Image Builder, so CVE-2024-9486 does not impact our infrastructure and user environments. However, some parts of our infrastructure use QEMU to build clusters and are impacted by CVE-2024-9594. Even though CVE-2024-9594 is rated as medium, we consider this issue very low severity as we already have the required mitigation to prevent the mentioned attack vector on our infrastructure. At the moment, no active exploitation of these vulnerabilities is known.

## What action has IONOS Cloud taken to mitigate the severity?

IONOS Cloud will apply the patch to the affected products and services soon. We will update the patching status once the process is complete.

## What action can you take to mitigate the vulnerability?

IONOS Cloud owns the patching responsibility, and no action is required from the user.

## How can I get help?

If you have further questions or concerns about this vulnerability, contact [<mark style="color:blue;">IONOS Cloud Support</mark>](https://docs.ionos.com/cloud/support/general-information/contact-information).