Snyk Blog

API authentication vulnerability found in Snyk Kubernetes integration (CVE-2023-1065)

Écrit par:
Hannah Foxwell
Hannah Foxwell

28 février 2023

0 minutes de lecture

We would like to inform Snyk customers of some important changes to Snyk Container’s Kubernetes Monitor integration to address vulnerabilities found in the API authentication. At this time, the Kubernetes integration is only available on Snyk's Enterprise plan. Only Enterprise customers who have deployed the Snyk Kubernetes Monitor are impacted.

CVE-2023-1065

CVE-2023-1065 is a medium severity vulnerability that does not expose the user of the integration to any direct security risk and no user data could be leaked, but it could have resulted in irrelevant data being posted to a Snyk organization — which could in turn obfuscate other, relevant, security issues. 

Details of the vulnerable API endpoints and how to upgrade your integration can be found below. 

CVE-2023-1065 Snyk Kubernetes Monitor Authentication Vulnerability

The purpose of the Snyk Kubernetes Monitor is to allow users to automatically identify, import, and scan containers running in your Kubernetes cluster. To do this, users deploy the Snyk Controller and obtain a Snyk Integration ID to post the data back to the Snyk Platform. The above vulnerability impacts this POST API endpoint, which uses the Integration ID to route scan results to a user’s Snyk Organization.

How to upgrade and stay safe

Snyk has updated the Kubernetes Monitor with more robust authentication, which will need to be deployed to your Kubernetes clusters. If you are using the integration, we advise that you upgrade as soon as possible. An overview of the Snyk Kubernetes integration and instructions on how to upgrade the Snyk Kubernetes Monitor are available in the documentation.

The new controller will post data back to a new, more secure API endpoint. The current insecure API endpoints will be deprecated in six weeks on April 11. At that time, older versions of the Snyk Kubernetes Monitor will become unusable. 

More information

You can find more details on this medium severity vulnerability in the public vulnerability database.

We would like to thank the Tesco Cybersecurity Team for finding and disclosing this vulnerability to us. Snyk is proud to be one of the leading proponents of responsible disclosure programs and open source technology. One of the main tenets of a robust and modern security posture is to encourage external testing of software that compliments internal testing and tooling. 

At Snyk, it’s our business to know that all software has the potential to include vulnerabilities. Our users’ safety is paramount, and we will continue to take all steps necessary to ensure our software is rigorously tested.

To stress, this is a medium severity vulnerability whose potential impact is limited to the usability of Snyk. However, our customers have come to rely on us for continuous detection and remediation of vulnerabilities, as well as incident response during 0-day events. For that reason, we consider our availability and accuracy to be mission-critical for our users and take this problem very seriously. 

We apologize for any inconvenience caused to customers needing to upgrade the Snyk Kubernetes Monitor. Please reach out with any questions through our Snyk Support portal.

Publié dans:Sécurité des conteneurs, Informations sur les vulnérabilités

Vous voulez l’essayer par vous-même ?

Snyk interviewed 20+ security leaders who have successfully and unsuccessfully built security champions programs. Check out this playbook to learn how to run an effective developer-focused security champions program.

Réservez une démo en ligne

Snyk est une plateforme de sécurité des développeurs. S’intégrant directement aux outils, workflows et pipelines de développement, Snyk facilite la détection, la priorisation et la correction des failles de sécurité dans le code, les dépendances, les conteneurs et l’infrastructure en tant que code (IaC). Soutenu par une intelligence applicative et sécuritaire de pointe, Snyk intègre l'expertise de la sécurité au sein des outils de chaque développeur.

Démarrez gratuitementRéservez une démo en ligne

Produit

Qu’est-ce que Snyk ?Snyk Code (SAST)Snyk Open Source (SCA)Snyk ContainerSnyk Infrastructure as CodeSnyk AppRisk (ASPM)Plateforme de sécurité des développeursSécurité des applicationsSécurité de la chaîne d’approvisionnement logicielleSécurité du code généré par l’IA DeepCode AITarifsOptions de déploiementIntégrationsPlugins pour les IDESécurité GitSécurité des pipelines de CI/CDSnyk CLISnyk LearnSnyk pour JavaScript

Ressources

DocumentationDocuments sur l’API SnykStatut de l’APIVulnérabilités divulguéesPortail de support et FAQBlogPrincipes fondamentaux de la sécuritéRessources pour les leaders de la sécuritéRessources pour les hackers éthiquesBase de données des vulnérabilitésSnyk OSS AdvisorTop 10 de SnykVidéosRessources clientSecurity LabsThe Secure Developer Podcast

Société

À proposClientsCarrièresÉvénementsSnyk pour le secteur publicSécurité et confianceMentions légalesConfidentialitéPour les résidents de Californie : Ne vendez pas mes informations à caractère personnelConditions d'utilisation du site webProcurement

Connexion

Réservez une démo en ligneContactez-nousSupportSignaler une nouvelle vulnérabilité

Sécurité

Sécurité des applicationsSécurité des conteneursSécurité de la chaîne d’approvisionnementSécurité JavascriptSécurité open sourceSécurité AWSSDLC sécuriséPosture de sécuritéCode sécuriséHacking éthiqueL’IA dans la cybersécuritéVérificateur de codePythonCybersécurité en entrepriseJavaScriptSnyk With GitHubComparaison Snyk/VeracodeSnyk vs CheckmarxSnyk vs Synopsys

© 2024 Snyk Limited
Enregistré en Angleterre et au Pays de Galles

logo-devseccon