Connect with us

Cars

​Kubernetes’ first major security hole discovered

Published

on

techrepublic


Kubernetes: The smart person’s guide

Kubernetes is a series of open source projects for automating the deployment, scaling, and management of containerized applications. Find out why the ecosystem matters, how to use it, and more.

Read More

Kubernetes has become the most popular cloud container orchestration system by far, so it was only a matter of time until its first major security hole was discovered. And the bug, CVE-2018-1002105, aka the Kubernetes privilege escalation flaw, is a doozy. It’s a CVSS 9.8 critical security hole.

With a specially crafted network request, any user can establish a connection through the Kubernetes application programming interface (API) server to a backend server. Once established, an attacker can send arbitrary requests over the network connection directly to that backend. Adding insult to injury, these requests are authenticated with the Kubernetes API server’s Transport Layer Security (TLS) credentials.

Also: How to quickly install Kubernetes on Ubuntu TechRepublic

Can you say root? I knew you could.

Worse still, “In default configurations, all users (authenticated and unauthenticated) are allowed to perform discovery API calls that allow this escalation.” So, yes, anyone who knows about this hole can take command of your Kubernetes cluster.

Oh, and for the final jolt of pain: “There is no simple way to detect whether this vulnerability has been used. Because the unauthorized requests are made over an established connection, they do not appear in the Kubernetes API server audit logs or server log. The requests do appear in the kubelet or aggregated API server logs, but are indistinguishable from correctly authorized and proxied requests via the Kubernetes API server.”

In other words, Red Hat said, “The privilege escalation flaw makes it possible for any user to gain full administrator privileges on any compute node being run in a Kubernetes pod. This is a big deal. Not only can this actor steal sensitive data or inject malicious code, but they can also bring down production applications and services from within an organization’s firewall.”

Fortunately, there is a fix, but some of you aren’t going to like it. You must upgrade Kubernetes. Now. Specifically, there are patched version of Kubernetes v1.10.11, v1.11.5, v1.12.3, and v1.13.0-rc.1.

If you’re still using Kubernetes v1.0.x-1.9.x, stop. Update to a patched version. If for some reason you can’t move up, there are cures, but they’re almost worse than the disease. You must suspend use of aggregated API servers and remove pod exec/attach/portforward permissions from users that should not have full access to the kubelet API. Jordan Liggitt, the Google software engineer who fixed the bug, said these mitigations are likely to be disruptive. You think?

The only real fix is to upgrade Kubernetes.

Also: Kubernetes: The smart person’s guide TechRepublic

Any program, which includes Kubernetes, is vulnerable. Kubernetes distributors are already releasing fixes.

Red Hat reports all its “Kubernetes-based services and products — including Red Hat OpenShift Container Platform, Red Hat OpenShift Online, and Red Hat OpenShift Dedicated — are affected.” Red Hat has begun delivering patches and service updates to affected users.

As far as anyone knows, no one has used the security hole to attack anyone yet. Darren Shepard, chief architect and co-founder at Rancher Labs, discovered the bug and reported it using the Kubernetes vulnerability reporting process.

But — and it’s a big but — abusing the vulnerability would have left no obvious traces in the logs. And, now that news of the Kubernetes privilege escalation flaw is out, it’s only a matter of time until it’s abused.

So, once more and with feeling, upgrade your Kubernetes systems now before your company ends up in a world of trouble.

Related stories:

Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Cars

Polestar 2 electric car reveals paid download to add horsepower

Published

on

Polestar has released a downloadable over-the-air (OTA) update for all long-range dual-motor versions of the Polestar 2. The electric automaker’s latest performance software upgrade unlocks more horsepower and nippier acceleration, good things to have in a premium electric performance car.

Polestar has already released numerous software updates for the 2, but most of them had something to do with convenience features and range/charging improvements. The latest software upgrade is the first time Polestar applies its tuning magic to an all-electric model. If you’re old enough to remember, Polestar started life in 1996 as Volvo’s tuning arm similar to BMW’s M division and Mercedes-AMG.

So, what does the performance update give you? It adds 67 more horsepower and around 15 torque, boosting the power output to 470 horsepower and 502 pound-feet of torque. What’s more, the power boost has given the Polestar 4 nippier acceleration. According to the automaker, accelerating from zero to 60 mph now only takes 4.4-seconds, better than the outdated software’s 4.7-seconds.

Best of all, everything happens with a few taps on the screen. The Polestar 2 is not a slow car by any means. In stock form, the Polestar 2’s 408-horsepower translates to an “addictive wave of instant torque, combined with a satisfying thrum rather than the bordering-on-harsh electric shriek some EV motors produce,” said executive editor Chris Davies upon driving the Polestar 2 last year. But with 67 more horses, the software update has added more spice to the EV’s grand-touring potential.

Furthermore, Polestar claims the additional muscle has no penalties for range and energy consumption. Equipped with a 78 kWh battery, Polestar 2 Long Range Dual Motor achieves an EPA-rated 233 miles of range. It has an 11 kW onboard charger and supports up to 150 kW of DC fast charging. With the latter, you’re looking at zero to 80-percent in around 40 minutes.

However, the latest Polestar 2 performance software upgrade is not free of charge. It starts at around €1,000 ($1,130) and is currently available to download in Europe, including the UK, Norway, Netherlands, Sweden, Switzerland, Denmark, Germany, Austria, and Finland. Meanwhile, Canadian and US owners can avail of the OTA update starting early next year.

Continue Reading

Cars

EPA gives 2022 Ioniq 5 EV better range than Hyundai’s first claims

Published

on

South Korean automaker Hyundai has outdone itself with the 2022 Ioniq 5. Not only did Hyundai create an awesome-looking all-electric vehicle that won’t look out of place in the film set of Back to the Future 2, but the Ioniq 5 managed better range numbers than Hyundai initially suggested.

As Hyundai revealed today, the 2022 Hyundai Ioniq 5 can achieve an EPA-rated 303 miles of driving range, and those numbers apply to the single-motor rear-wheel-drive variant equipped with a 77.4 kWh battery pack. Other markets get two battery options, including a smaller 58.2 kWh unit, but all U.S.-bound Hyundai Ioniq 5s will have the 77.4 kWh long-range battery option.

With a single electric motor, you’ll have 225 horsepower and 258 pound-feet of torque at your disposal, which is plenty enough for most driving applications. But if you want a zippier Ioniq 5, you’ll need to go for the dual-motor AWD variant with a combined 320 horsepower and 446 pound-feet of torque. Both configurations allow a top speed of 115 mph, while the maximum tow rating is 2,000 pounds. Hyundai claims zero to 60 mph in under five seconds, not bad for vintage-inspired EV.

However, the AWD model achieves lower EPA numbers: 256 miles on a single full charge. If the batteries go flat, the Ioniq 5 offers what Hyundai claims is the world’s first multi-charging system that supports both 400V and 800V charging infrastructures. A standard Level 2 10.9 kW onboard charger replenishes the batteries in around 6.5 hours. But if you have access to a 350 kW DC fast charger, the Ioniq 5 can juice up from ten to 80-percent in under 20 minutes.

Furthermore, Hyundai has partnered with Electrify America to give Ioniq 5 owners total access to the latter’s network of over 700 charging stations across America. Each Ioniq 5 comes with free and unlimited 30-minute charging sessions for two years from the purchase date. Suddenly, the 2022 Hyundai Ioniq 5 has become a top choice in the EV category. With over 300 miles of range and free unlimited charging, the stakes have gone higher, and we have yet to discuss the Ioniq 5’s tasteful yet purposeful retro design.

Starting life as the Hyundai 45 EV Concept at the 2019 IAA auto show in Germany, the production Ioniq 5 is essentially a concept in production guise. The angular styling is a throwback to yesteryears, but there’s genuine substance behind its quirky design. The Ioniq 5 has a four-inch longer wheelbase than a Hyundai Palisade (measuring a lengthy 118.1-inches, the longest wheelbase in a Hyundai production vehicle) despite measuring a full 14-inches shorter in length.

Combined with shorter front and rear overhangs, Hyundai claims Ioniq 5 has a greater passenger volume than the Ford Mustang Mach E and VW ID.4. In addition, Ioniq 5 has 27.2 cubic feet of cargo room behind the rear seats. Meanwhile, folding the rear seats reveal 59.3 cubic feet of storage space.

Other neat features include Hyundai’s V2L function that essentially turns the Ioniq 5 into a humongous power bank. Best of all, it can even charge a stranded EV. “Ioniq 5 introduces the Hyundai brand to a whole new set of buyers,” said Jose Munoz, president and CEO, Hyundai North America. “Owning one is going to be a new experience and lifestyle that only the Iooniq brand can provide.”

The 2022 Hyundai Ioniq 5 will sell this winter in three trims: SE, SEL, and Limited. Hyundai has yet to disclose the MSRP, but we’re expecting base prices to start under $45,000.

Continue Reading

Cars

2022 Honda Passport goes upmarket with one monster price hike

Published

on

This winter, the redesigned 2022 Honda Passport is arriving at dealerships with a significant price hike. The base Sport trim from the outgoing model is gone for 2022, making way for the new base EX-L trim with standard front-wheel drive (AWD remains a $2,100 option).

With base prices starting at $39,095 (including $1,225 destination fees), the 2022 Passport is about $5k more than last year. What’s more, it now costs thousands of dollars more than its nearest competitors like the VW Atlas Cross Sport, Toyota Venza (which is a hybrid), and Hyundai Santa Fe.

For the money, you get an array of premium equipment like perforated leather seats with contrasting stitching, a remote power tailgate, an 8-inch infotainment touchscreen with Apple CarPlay and Android Auto connectivity, wireless charging, and remote engine start. Also standard are 20-inch alloy wheels and a one-touch power moonroof.

All Honda Passports have a 3.5-liter V6 engine pumping out 280 horsepower to the front wheels or all four wheels using the brand’s i-VTM4 torque-vectoring all-wheel-drive system. Both drivetrains have and a nine-speed automatic gearbox. Honda Sensing is also standard across the lineup and includes hi-tech safety aids like lane departure warning, adaptive cruise control, lane-keeping assist, collision mitigating braking, and road departure mitigation.

The all-new Passport Trailsport has standard AWD and is the most off-road ready of the bunch. It starts at $43,695 and gets machined 18-inch wheels, chunkier off-road tires, and silver skid plates. It also has bespoke logos, rugged front/rear bumpers, heated wipers, and a 10mm wider track. All 2022 Passports with AWD feature up to 8.1-inches of ground clearance and a 5,000-pound towing capacity.

“The new Passport and Passport Trailsport don’t just look rugged; they’re ready, willing, and able to get dirty tackling trails,” said Michael Kistemaker, assistant vice president of Honda National Sales at American Honda Motor Co., Inc.

Meanwhile, the range-topping 2022 Passport Elite starts at $46,665. It has trim-specific 20-inch wheels, heated and ventilated front seats, a heated tiller, heated rear outboard seats, and a hands-free power tailgate.

Honda’s 2022 Passport is an attractive proposition for adventurous lifestyles despite the price hike. The Passport entered rallying a few months ago will continuously see action in the American Rally Association (ARA) series throughout 2022, so we have no question about the Passport Trailsport’s off-road pedigree. But is it $5,000 better than the competition? We’re itching to find out.

Continue Reading

Trending