API authentication vulnerability found in Snyk Kubernetes integration (CVE-2023-1065)

We would like to inform Snyk customers of some important changes to Snyk Container’s Kubernetes Monitor integration to address vulnerabilities found in the API authentication. At this time, the Kubernetes integration is only available on Snyk's Enterprise plan. Only Enterprise customers who have deployed the Snyk Kubernetes Monitor are impacted.

CVE-2023-1065

CVE-2023-1065 is a medium severity vulnerability that does not expose the user of the integration to any direct security risk and no user data could be leaked, but it could have resulted in irrelevant data being posted to a Snyk organization — which could in turn obfuscate other, relevant, security issues. 

Details of the vulnerable API endpoints and how to upgrade your integration can be found below. 

CVE-2023-1065 Snyk Kubernetes Monitor Authentication Vulnerability

The purpose of the Snyk Kubernetes Monitor is to allow users to automatically identify, import, and scan containers running in your Kubernetes cluster. To do this, users deploy the Snyk Controller and obtain a Snyk Integration ID to post the data back to the Snyk Platform. The above vulnerability impacts this POST API endpoint, which uses the Integration ID to route scan results to a user’s Snyk Organization.

How to upgrade and stay safe

Snyk has updated the Kubernetes Monitor with more robust authentication, which will need to be deployed to your Kubernetes clusters. If you are using the integration, we advise that you upgrade as soon as possible. An overview of the Snyk Kubernetes integration and instructions on how to upgrade the Snyk Kubernetes Monitor are available in the documentation.

The new controller will post data back to a new, more secure API endpoint. The current insecure API endpoints will be deprecated in six weeks on April 11. At that time, older versions of the Snyk Kubernetes Monitor will become unusable. 

More information

You can find more details on this medium severity vulnerability in the public vulnerability database.

We would like to thank the Tesco Cybersecurity Team for finding and disclosing this vulnerability to us. Snyk is proud to be one of the leading proponents of responsible disclosure programs and open source technology. One of the main tenets of a robust and modern security posture is to encourage external testing of software that compliments internal testing and tooling. 

At Snyk, it’s our business to know that all software has the potential to include vulnerabilities. Our users’ safety is paramount, and we will continue to take all steps necessary to ensure our software is rigorously tested.

To stress, this is a medium severity vulnerability whose potential impact is limited to the usability of Snyk. However, our customers have come to rely on us for continuous detection and remediation of vulnerabilities, as well as incident response during 0-day events. For that reason, we consider our availability and accuracy to be mission-critical for our users and take this problem very seriously. 

We apologize for any inconvenience caused to customers needing to upgrade the Snyk Kubernetes Monitor. Please reach out with any questions through our Snyk Support portal.