Kubernetes Security
Ada Logics has rich experience in Kubernetes security that can help you protect and secure your cloud assets. We have comprehensive knowledge of Kubernetes’ threat model and how misconfigured clusters or vulnerable code make you vulnerable and how you can mitigate. This has led us to find vulnerabilities in many of widely used software packages amongst Kubernetes users such as Argo, cri-o, containerd, Helm and FluxCD.
Kubernetes security services

We offer services at different levels of Kubernetes infrastructure. Our services start with understanding your use case, who you serve and how you deploy your Kubernetes instance. We can then audit your application layer, your infrastructure and/or your supply-chain risk. An audit will include either static code assets or in-cluster auditing or both - which is the case for most of our audits. Our audits complete with a detailed report written for you in a format you can share internally with your team or publicly with the world.

Wide experience with the Kubernetes ecosystem

Ada Logics has audited a range of popular Kubernetes tools.

We have found several security vulnerabilities in the Argo ecosystem - from Low to Critical severity. We worked with the Argo team to remediate and get them released in a safe manner. Similarly, we have written Argos entire fuzzing infrastructure and maintained it for several years.
The widely customizable and widely used admission controller with a great feature set and detailed documentation. Ada Logics audited Kyverno and found 5 vulnerabilities that we disclosed to Kyverno who fixed them. Ada Logics has written Kyvernos fuzzing suite which tests both for language-level vulnerabilities and policy bypasses, and we have maintained the fuzzing suite for several years.
One of the most widely used container runtimes after containerd/Docker. During an audit of cri-o, we found a vulnerability that could allow an attacker to crash Kubernetes Node and thereby impact the usability of other users on that node. We then looked at containerd and found that it had the same vulnerability. Both cri-o and containerd fixed the vulnerabilities.
The popular service mesh that offers a rich feature set including many that enhance the security of your cluster. Ada Logics has both found vulnerabilities in Istio and in Golang that directly impacted Istio.
Ada Logics have found multiple vulnerabilities in containerd both from auditing efforts and security engineering. During out audit of cri-o we found a vulnerability that existed in both cri-o and containerd. During a fuzzing engagement, we found another vulnerability in containerd.
We carried out a holistic security audit of FluxCD in which we found a high-severity command-injection.
Our Kubernetes security services
Threat modelling

We can threat model your infrastructure to identify its attack surface, threat actors, trust zones and trust flow and security controls.

Attacking your infrastructure

Ada Logics can take an attackers perspective and attempt to steal your data, damage your application, infiltrate your infrastructure and compromise your users in a controlled environment.

Manual auditing

We can manually audit your Kubernetes infrastructure for risks, misconfigurations, risks and vulnerabilities.

Automated testing

We use state-of-the-art open source dynamic and static analysis to support our audits.

One-time infrastructure audits

We can help with auditing your infrastructure as a one-time engagement.

Regular infrastructure audits

We are available for regular infrastructure audits such as yearly or half-yearly engagements. Code changes over time, and vulnerabilities can get introduced. Catch them with yearly checkups. Alternatively, a yearly infrastructure audit helps your eradicate easily-exploitable issues and find deeper security issues over time.

Security engineering and hardening

We can work with you on hardening the security of your infrastructure. This can be through implementing or improving your admission controls or service mesh, or by hardening your infrastructure configurations.

Talk to us now about your Kubernetes security
Contact Us
Sample Open Source Vulnerabilities

We have found vulnerabilities in the biggest and most widely used open-source software projects.

20/11-2024
Cert-Manager
Potential slowdown / DoS when parsing specially crafted PEM inputs
Low
ID:
GHSA-r4pg-vg54-wxx4
Published:
20/11-2024
Project:
Cert-Manager
18/10-2024
Keycloak
org.keycloak:keycloak-services has Inefficient Regular Expression Complexity
High
ID:
CVE-2024-10270
Published:
18/10-2024
Project:
Keycloak
1/10-2024
Go-TUF
Incorrect delegation lookups can make go-tuf download the wrong artifact
High
ID:
CVE-2024-47534
Published:
1/10-2024
Project:
Go-TUF
30/9-2024
expressjs/basic-auth-connect
basic-auth-connect's callback uses time unsafe string comparison
Low
ID:
CVE-2024-47178
Published:
30/9-2024
Project:
expressjs/basic-auth-connect
10/9-2024
expressjs/body-parser
body-parser vulnerable to denial of service when url encoding is enabled
High
ID:
CVE-2024-45590
Published:
10/9-2024
Project:
expressjs/body-parser
10/9-2024
Express.js
express vulnerable to XSS via response.redirect()
Low
ID:
CVE-2024-43796
Published:
10/9-2024
Project:
Express.js
10/9-2024
pillarjs/send
send vulnerable to template injection that can lead to XSS
Low
ID:
CVE-2024-43799
Published:
10/9-2024
Project:
pillarjs/send
4/9-2024
Sigstore-go
sigstore-go has an unbounded loop over untrusted input can lead to endless data attack
Low
ID:
CVE-2024-45395
Published:
4/9-2024
Project:
Sigstore-go
18/6-2024
Minder
Minder affected by denial of service from maliciously configured Git repository
Moderate
ID:
CVE-2024-37904
Published:
18/6-2024
Project:
Minder
27/5-2024
Minder
Denial of service of Minder Server from maliciously crafted GitHub attestations
Moderate
ID:
CVE-2024-35238
Published:
27/5-2024
Project:
Minder
20/5-2024
Minder
Stacklok Minder vulnerable to denial of service from maliciously crafted templates
Moderate
ID:
CVE-2024-35194
Published:
20/5-2024
Project:
Minder
16/5-2024
Minder
Denial of service of Minder Server with attacker-controlled REST endpoint
Moderate
ID:
CVE-2024-35185
Published:
16/5-2024
Project:
Minder
15/5-2024
fastify-secure-session
@fastify/secure-session: Reuse of destroyed secure session cookie
High
ID:
CVE-2024-31999
Published:
15/5-2024
Project:
fastify-secure-session
7/5-2024
Minder
Minder's GitHub Webhook Handler vulnerable to DoS from un-validated requests
High
ID:
CVE-2024-34084
Published:
7/5-2024
Project:
Minder
10/4-2024
Sigstore Cosign
Cosign malicious attachments can cause system-wide denial of service
Moderate
ID:
CVE-2024-29902
Published:
10/4-2024
Project:
Sigstore Cosign
10/4-2024
Sigstore Cosign
Cosign malicious artifacts can cause machine-wide DoS
Moderate
ID:
CVE-2024-29903
Published:
10/4-2024
Project:
Sigstore Cosign
ID:
CVE-2023-46738
Published:
3/1-2024
Project:
Knative Serving
3/1-2024
CubeFS
Authenticated users can crash the CubeFS servers with maliciously crafted requests
High
ID:
CVE-2023-46738
Published:
3/1-2024
Project:
CubeFS
3/1-2024
CubeFS
CubeFS timing attack can leak user passwords
High
ID:
CVE-2023-46739
Published:
3/1-2024
Project:
CubeFS
3/1-2024
CubeFS
Insecure random string generator used for sensitive data
High
ID:
CVE-2023-46740
Published:
3/1-2024
Project:
CubeFS
3/1-2024
CubeFS
CubeFS leaks magic secret key when starting Blobstore access service
High
ID:
CVE-2023-46741
Published:
3/1-2024
Project:
CubeFS
3/1-2024
CubeFS
CubeFS leaks users key in logs
Moderate
ID:
CVE-2023-46742
Published:
3/1-2024
Project:
CubeFS
27/11-2023
Knative Serving
Knative Serving vulnerable to attacker-controlled pod causing denial of service of autoscaler
Moderate
ID:
CVE-2023-48713
Published:
27/11-2023
Project:
Knative Serving
13/11-2023
Kyverno
Attacker can cause Kyverno user to unintentionally consume insecure image
High
ID:
CVE-2023-47630
Published:
13/11-2023
Project:
Kyverno
7/11-2023
Sigstore Cosign
Cosign vulnerable to possible endless data attack from attacker-controlled registry
Low
ID:
CVE-2023-46737
Published:
7/11-2023
Project:
Sigstore Cosign
7/11-2023
Crossplane
Possible image tampering from missing image validation for Packages
High
ID:
CVE-2023-38495
Published:
7/11-2023
Project:
Crossplane
29/9-2023
Apache Avro Java SDK
Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK
High
ID:
CVE-2023-39410
Published:
29/9-2023
Project:
Apache Avro Java SDK
27/7-2023
Crossplane
Denial of service from large image
Low
ID:
CVE-2023-37900
Published:
27/7-2023
Project:
Crossplane
16/7-2023
Avro
avro vulnerable to denial of service via attacker-controlled parameter
High
ID:
CVE-2023-37475
Published:
16/7-2023
Project:
Avro
13/07-2023
Istio
Unauthenticated control plane denial of service attack in Istio
High
ID:
CVE-2022-23635
Published:
13/07-2023
Project:
Istio
6/6-2023
Notation
Notation vulnerable to denial of service from high number of artifact signatures
Moderate
ID:
CVE-2023-33957
Published:
6/6-2023
Project:
Notation
6/6-2023
Notation
Notation's default `maxSignatureAttempts` in `notation verify` enables an endless data attack
Moderate
ID:
CVE-2023-33958
Published:
6/6-2023
Project:
Notation
6/6-2023
Notation-go
notation-go's verification bypass can cause users to verify the wrong artifact
Moderate
ID:
CVE-2023-33959
Published:
6/6-2023
Project:
Notation-go
11/5-2023
Vitess
VTAdmin users that can create shards can deny access to other functions
Moderate
ID:
CVE-2023-29195
Published:
11/5-2023
Project:
Vitess
3/5-2023
Rekor
Rekor's compressed archives can result in OOM conditions
High
ID:
CVE-2023-30551
Published:
3/5-2023
Project:
Rekor
11/4-2023
Vitess
Vitess allows users to create keyspaces that can deny access to already existing keyspaces
Moderate
ID:
CVE-2023-29194
Published:
11/4-2023
Project:
Vitess
9/3-2023
Crossplane-runtime
fieldpath's Paved.SetValue allows growing arrays up to arbitrary sizes in crossplane-runtime
Moderate
ID:
CVE-2023-27483
Published:
9/3-2023
Project:
Crossplane-runtime
9/3-2023
Crossplane
Crossplane-runtime contains Improper Input Validation via Compositions
Moderate
ID:
CVE-2023-27484
Published:
9/3-2023
Project:
Crossplane
20/2-2023
Helm
notation-go has excessive memory allocation on verification
High
ID:
CVE-2023-25656
Published:
20/2-2023
Project:
Helm
16/2-2023
containerd
OCI image importer memory exhaustion
Moderate
ID:
CVE-2023-25153
Published:
16/2-2023
Project:
containerd
27/1-2023
ArgoCD
Argo CD certificate verification is skipped for connections to OIDC providers
High
ID:
CVE-2022-31105
Published:
27/1-2023
Project:
ArgoCD
14/12-2022
Helm
Helm vulnerable to denial of service through string value parsing
Moderate
ID:
CVE-2022-23524
Published:
14/12-2022
Project:
Helm
14/12-2022
Helm
Helm vulnerable to denial of service through through repository index file
Moderate
ID:
CVE-2022-23525
Published:
14/12-2022
Project:
Helm
14/12-2022
Helm
Helm vulnerable to denial of service through schema file
Moderate
ID:
CVE-2022-23526
Published:
14/12-2022
Project:
Helm
14/10-2022
Golang
Reader.Read does not set a limit on the maximum size
High
ID:
CVE-2022-2879
Published:
14/10-2022
Project:
Golang
14/10-2022
Golang
golang.org/x/text/language Denial of service via crafted Accept-Language header
High
ID:
CVE-2022-32149
Published:
14/10-2022
Project:
Golang
3/10-2022
Jackson-Databind
Uncontrolled Resource Consumption in FasterXML jackson-databind
High
ID:
CVE-2022-42004
Published:
3/10-2022
Project:
Jackson-Databind
24/8-2022
Helm
Helm Vulnerable to denial of service through string value parsing
Moderate
ID:
CVE-2022-36055
Published:
24/8-2022
Project:
Helm
24/8-2022
Jackson-Databind
Uncontrolled Resource Consumption in Jackson-databind
High
ID:
CVE-2022-42003
Published:
24/8-2022
Project:
Jackson-Databind
12/7-2022
ArgoCD
Argo CD SSO users vulnerable to Cross-site Scripting
Low
ID:
CVE-2022-31102
Published:
12/7-2022
Project:
ArgoCD
13/7-2022
containerd
Insecure path traversal in Git Trigger Source can lead to arbitrary file read
High
ID:
CVE-2022-25856
Published:
13/7-2022
Project:
containerd
11/7-2022
KubeEdge
KubeEdge Edge ServiceBus module DoS
Moderate
ID:
CVE-2022-31073
Published:
11/7-2022
Project:
KubeEdge
11/7-2022
KubeEdge
KubeEdge Cloud AdmissionController component DoS
Moderate
ID:
CVE-2022-31074
Published:
11/7-2022
Project:
KubeEdge
11/7-2022
KubeEdge
KubeEdge DoS when signing the CSR from EdgeCore
Moderate
ID:
CVE-2022-31075
Published:
11/7-2022
Project:
KubeEdge
11/7-2022
KubeEdge
KubeEdge CloudCore Router memory exhaustion vulnerability
Moderate
ID:
CVE-2022-31078
Published:
11/7-2022
Project:
KubeEdge
11/7-2022
KubeEdge
KubeEdge Cloud Stream and Edge Stream DoS from large stream message
Moderate
ID:
CVE-2022-31079
Published:
11/7-2022
Project:
KubeEdge
11/7-2022
KubeEdge
DoS in KubeEdge's Websocket Client in package Viaduct
Moderate
ID:
CVE-2022-31080
Published:
11/7-2022
Project:
KubeEdge
26/6-2022
KubeEdge
CloudCore CSI Driver: Malicious response from KubeEdge can crash CSI Driver controller server
Moderate
ID:
CVE-2022-31077
Published:
26/6-2022
Project:
KubeEdge
24/6-2022
KubeEdge
CloudCore UDS Server: Malicious Message can crash CloudCore
Moderate
ID:
CVE-2022-31076
Published:
24/6-2022
Project:
KubeEdge
21/6-2022
ArgoCD
Insecure entropy in Argo CD's PKCE/Oauth2/OIDC params
High
ID:
CVE-2022-31034
Published:
21/6-2022
Project:
ArgoCD
21/6-2022
ArgoCD
Argo CD's external URLs for Deployments can include JavaScript
Critical
ID:
CVE-2022-31035
Published:
21/6-2022
Project:
ArgoCD
21/6-2022
ArgoCD
Symlink following allows leaking out-of-bounds YAML files from Argo CD repo-server
Moderate
ID:
CVE-2022-31036
Published:
21/6-2022
Project:
ArgoCD
21/6-2022
ArgoCD
DoS through large manifest files in Argo CD
Moderate
ID:
CVE-2022-31016
Published:
21/6-2022
Project:
ArgoCD
6/6-2022
cri-o
Node DOS by way of memory exhaustion through ExecSync request in CRI-O
High
ID:
CVE-2022-1708
Published:
6/6-2022
Project:
cri-o
6/6-2022
containerd
containerd CRI plugin: Host memory exhaustion through ExecSync
Moderate
ID:
CVE-2022-31030
Published:
6/6-2022
Project:
containerd
11/11-2021
FluxCD kustomize-controller
Privilege escalation to cluster admin on multi-tenant environments
High
ID:
CVE-2021-41254
Published:
11/11-2021
Project:
FluxCD kustomize-controller