Google Cloud has fixed a flaw impacting Kubernetes that could allow an attacker to escalate their privileges.
According to TheHackerNews, Palo Alto Networks Unit 42 discovered the flaw and reported it via Google’s Vulnerability Reward Program. Google detailed the issue in a security bulletin:
An attacker who has compromised the Fluent Bit logging container could combine that access with high privileges required by Anthos Service Mesh (on clusters that have enabled it) to escalate privileges in the cluster. The issues with Fluent Bit and Anthos Service Mesh have been mitigated and fixes are now available. These vulnerabilities are not exploitable on their own in GKE and require an initial compromise. We are not aware of any instances of exploitation of these vulnerabilities.
Google recommends manually upgrading GKE to ensure customers are running the patched version:
The following versions of GKE have been updated with code to fix these vulnerabilities in Fluent Bit and for users of managed Anthos Service Mesh. For security purposes, even if you have node auto-upgrade enabled, we recommend that you manually upgrade your cluster and node pools to one of the following GKE versions or later:
- 1.25.16-gke.1020000
- 1.26.10-gke.1235000
- 1.27.7-gke.1293000
- 1.28.4-gke.1083000