Notice of Kubernetes Security Vulnerabilities (CVE-2024-9486 and CVE-2024-9594)
The Kubernetes Security Response Committee discovered two security vulnerabilities (CVE-2024-9486 and CVE-2024-9594) in the Kubernetes Image Builder. These vulnerabilities may allow attackers to obtain root access to VMs.
Description
| Type | CVE-ID | Severity | Discovered | 
|---|---|---|---|
| Container escape | Critical | 2024-10-15 | 
Impact
The default SSH username and password (the builder user) are allowed to access a VM running an image created with the Kubernetes Image Builder. This could potentially enable attackers to gain root access permissions on the VM. CCE node images are not built using the Kubernetes Image Builder, so such nodes are not affected by this vulnerability.
Identification Method
Run the following command on the target node:
id builder

If the builder user is not present, the node is not affected by these vulnerabilities.
Solution
These vulnerabilities do not impact CCE public images. It is recommended that you avoid using Kubernetes Image Builder versions earlier than 0.1.38 to create private images.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.
 
    