gravitational/cve-2018-1002105 gravitational/cve-2018-1002105

  • This repository has been archived on 01/Jul/2023
  • Stars
    star
    197
  • Rank 190,545 (Top 4 %)
  • Language
    Go
  • License
    Apache License 2.0
  • Created over 5 years ago
  • Updated over 5 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
gravitational/cve-2018-1002105
github

gravitational

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Test utility for cve-2018-1002105

CVE-2018-1002105

Test utility that checks a cluster for the high severity kubernetes CVE published here. A stakeholder-level writeup of the CVE-2018-1002105 may be found at https://gravitational.com/blog/kubernetes-websocket-upgrade-security-vulnerability/

Warning

Running this test through layer 7 load balancers or proxies in front of you're kubernetes apiserver may be unreliable and produce incorrect results. This test operates by connecting to the apiserver, and checking for side effects of the apiserver that exhibit the bug in kubernetes. Running this proof of concept through a layer 7 load balancer, may falsely indicate that the API is vulnerable to CVE-2018-1002105

Managed Kubernetes (AKS, EKS, GKE) Note

This tool veers toward false-positives, if your Kubernetes API is provided by a major cloud provider (such as Amazon AWS EKS, Google Cloud GKE or Microsoft Azure AKS), that service provider has almost certainly already patched your apiserver and you are no longer affected by CVE-2018-1002105. We would welcome pull requests that improve the detection of non-vulnerable apiserver endpoints.

Build and Run

go get github.com/gravitational/cve-2018-1002105
cd $GOPATH/src/github.com/gravitational/cve-2018-1002105
go run main.go

Running as a container

docker run -it --rm -v $HOME/.kube/config:/kubeconfig: quay.io/gravitational/cve-2018-1002105:latest

Testing a cluster

The tool will attempt to test for two things, whether the cluster allows unauthenticated access to the API, which will then allow unauthenticated access to aggregate API endpoint. It will also attempt to find a pod, and attempt to test whether the apiserver will leave the connection open on a malformed request, which indicates the cluster is susceptible to CVE-2018-1002105.

Testing for unauthenticated access...
> API allows unauthenticated access
Testing for privilege escalation...
> API is vulnerable to CVE-2018-1002105

If you see API allows unauthenticated access it indicates that the test was able to detect unauthenticated access to the cluster. This test is fairly basic, but should detect a default configuration where anonymous access to the cluster is allowed.

If you see API is vulnerable to CVE-2018-1002105, this means that using the provided kubeconfig, the tool was able to test and confirm your cluster is vulnerable.

More Repositories

1

teleport

Protect access to all of your infrastructure
Go
15,876
star
2

teleconsole

Command line tool to share your UNIX terminal and forward local TCP ports to people you trust.
Go
2,779
star
3

workshop

Docker, Kubernetes and Gravity Trainings by Gravitational
Go
2,021
star
4

gravity

Kubernetes application deployments for restricted, regulated, or remote environments
Go
1,083
star
5

wormhole

Wireguard based overlay network CNI plugin for kubernetes
Go
518
star
6

satellite

Simple and extensible monitoring agent / library for Kubernetes: https://gravitational.com/blog/monitoring_kubernetes_satellite/
Go
198
star
7

careers

Apply at https://jobs.lever.co/teleport
TeX
83
star
8

teleport-plugins

Set of plugins for Teleport
HTML
80
star
9

trace

Package for error handling and error reporting
Go
66
star
10

planet

Installable Kubernetes delivered in containers
Go
51
star
11

webapps

Mono-repository of Gravitational Web Applications
TypeScript
46
star
12

configure

Configure is a golang library that populates a struct from environment variables, command line arugments and YAML files.
Go
45
star
13

rigging

Kubernetes resources change management
Go
40
star
14

monitoring-app

Gravity application that provides a Kapacitor/Alertmanager/Grafana based monitoring system.
Go
34
star
15

force

A new programming language for cloud native workflows
Go
31
star
16

rbac-linter

Python
26
star
17

console-demo

Simplest possible implementation of web-based terminal for Golang backend
JavaScript
23
star
18

teleport-cluster-terraform

Archived - see the Terraform in gravitational/teleport instead
HCL
22
star
19

version

version is a library that automates the task of adding build version information to any Go package
Go
16
star
20

protoc-gen-terraform

Generates Terraform provider schemas and unmarshallers from protobuf definitions
Go
15
star
21

udpbeat

ELK beat that collects the structured inputs via UDP and emits them to ELK
Go
15
star
22

stolon-app

Opinionated stolon gravity/kubernetes app.
Go
13
star
23

kube2sky

A bridge between Kubernetes and SkyDNS.
Go
13
star
24

roundtrip

Library for HTTP request/response workflow
Go
12
star
25

logging-app

This gravity app provides an rsyslog-based log collection system to gravity sites.
Go
12
star
26

robotest

Automated provisioning and install testing
Go
11
star
27

next

Doc and website engine using next
TypeScript
11
star
28

docs

Source code backing goteleport.com/docs
TypeScript
9
star
29

jenkins-pipelines

Go
9
star
30

etcd-backup

For handling backup/restore of etcd database from userspace
Go
8
star
31

provisioner

[DEPRECATED] Terraform based provisioners for ops center
Go
7
star
32

bandwagon

Sample custom post-installation application for Gravity
JavaScript
7
star
33

teleport-agent-terraform

Terraform module which sets up a Teleport agent in AWS
HCL
7
star
34

terraform-gravity

Public terraform scripts for deploying Gravity
HCL
6
star
35

keygen

OSS tool for easy SSH key generation
Go
6
star
36

license

CA and licensing tools
Go
6
star
37

docker-debian

Customized Debian Docker images
Shell
6
star
38

sync-controller

Controller that synchronizes Kubernetes custom resources between clusters
Go
5
star
39

slackbot

Gravitational support bot
Go
5
star
40

mm

Auto discovery and export Prometheus metrics into InfluxDB
Go
5
star
41

protobuf-as

Protobuf AssemblyScript compiler
WebAssembly
4
star
42

licensinator

Python
4
star
43

webassets

HTML
4
star
44

healthz

Version of SkyDNS healthz that is simply Go
Go
4
star
45

quickstart

Getting started with Gravity. Sample application
HCL
4
star
46

docker-ubuntu

Customized Ubuntu Docker images
Shell
3
star
47

fakeiot

Fake IOT test cluster used for Full Stack Coding challenge
Go
3
star
48

gamma

An open source tool to compile a monorepo of GitHub actions into individual repos
Go
3
star
49

predicate-lang

Predicate - Access Control System
3
star
50

pithos-app

Pithos object store for Kubernetes + Gravity
Go
3
star
51

cloud-native-hackathon

Teleport Challenge
3
star
52

storage-app

Gravity system application that provides OpenEBS-based persistent storage for clusters
Makefile
3
star
53

coordinate

Set of utilities for ETCD and BoltDB
Go
3
star
54

reporting

gRPC based client/server usage reporting module
Go
2
star
55

httplib

HTTP Library utils
Go
2
star
56

shared-workflows

GitHub Actions shared within the organization
Go
2
star
57

oom

Reproduce problems with missing backpressure when using grpc ServeHTTP and a solution
Go
2
star
58

selinux

SELinux support for Gravity
Shell
2
star
59

cluster-ssl-app

cluster ssl system application
Shell
2
star
60

form

Package for handling HTTP web forms input
Go
2
star
61

session

Secure session IDs encrypted by lemma
Go
2
star
62

log

backport of logging facility we are using for compatibility purposes
Go
2
star
63

hackernews-challenge

Frontend Developer Challenge
2
star
64

it-onboarding

IT Onboarding
1
star
65

teleport-actions

Mono-repository of GitHub Actions for Teleport
1
star
66

.github

Teleport GitHub Organization Repository
1
star
67

aws-teleport-workshop

Teleport AWS Workshop
1
star
68

lf

LF is a on disk log format key value data store. Never use it anywhere
1
star
69

downtime

TypeScript
1
star
70

django-app

Gravity django-app
Go
1
star
71

hello

Tiny web app skeleton to show the basic Gravitational project structure and development workflow
Go
1
star
72

aws-ecr-helper

Amazon ECR Credential Helper for kubernetes cronjobs
Go
1
star
73

challenge-user-management

User Management Coding Challenge
CSS
1
star
74

gh-actions-poc

Go
1
star
75

ingress-app

Ingress App
Mustache
1
star
76

robotest-triage

Tools for triaging bulk Robotest runs
Python
1
star
77

magnet

Experimental library for working with mage as a build system
Go
1
star
78

patroni-app

Gravity application that provides installation of Patroni(a template for PostgreSQL HA)
HTML
1
star
79

godl

Go
1
star
80

packer-manifests

This repository contains manifests for Hashicorp Packer
Shell
1
star
81

teleport-github-actions-provisioning

An example of using Teleport Machine ID with Github Actions
HCL
1
star
82

sw

Star Wars Frontend Challenge
CSS
1
star
83

it-prod-public-test

a testing repo
1
star
84

influxdata-webinar

Files for Influxdata Webinar
JavaScript
1
star
85

test-it-public-repo

Testing repo
1
star
86

tpl

Render static text template from a configuration file
Go
1
star
87

gha-exporter

GitHub Actions metrics exporter for Prometheus
Go
1
star