A critical security flaw has been disclosed in the Kubernetes Image Builder that could be exploited for gaining root access. The vulnerability, identified as CVE-2024-9486 (CVSS score: 9.8), has been fixed in version 0.1.38 with credit to Nicolai Rybnikar for its discovery.
Red Hat’s Joel Smith explained, “A security issue was discovered in the Kubernetes Image Builder where default credentials are enabled during the image build process.”
Specifically, virtual machine images created using the Proxmox provider do not disable these default credentials, potentially allowing unauthorized access to gain root privileges.
Kubernetes clusters are affected by this flaw only if their nodes use VM images built via the Image Builder project with the Proxmox provider. Temporary recommendations include disabling the builder account on impacted VMs and rebuilding images using a patched version of Image Builder.
The fix implemented by the Kubernetes team replaces default credentials with randomly-generated passwords during the image build and disables the builder account upon completion.
Furthermore, Kubernetes Image Builder version 0.1.38 resolves another issue (CVE-2024-9594, CVSS score: 6.3) related to default credentials in images built with other providers like Nutanix, OVA, QEMU, and raw.
On a different note, Microsoft has recently issued fixes for three Critical-rated vulnerabilities in its Dataverse, Imagine Cup, and Power Platform services, each posing potential risks of privilege escalation or information disclosure.
- CVE-2024-38139 (CVSS score: 8.7) – Improper authentication in Microsoft Dataverse
- CVE-2024-38204 (CVSS score: 7.5) – Improper Access Control in Imagine Cup
- CVE-2024-38190 (CVSS score: 8.6) – Missing authorization in Power Platform
Meanwhile, Apache Solr has patched a critical authentication bypass vulnerability (CVE-2024-45216) that could lead to unauthorized access on affected instances.
The GitHub advisory for the Solr flaw explains how a certain URL path allows requests to bypass authentication, affecting versions 5.3.0 to 8.11.4 and 9.0.0 to 9.7.0.