Greetings from the VMware Security Response Center!
Yesterday Kubernetes disclosed CVE-2018-1002105 – a critical severity vulnerability in the Kubernetes API server. For more details on the vulnerability please see Kubernetes’ announcement here:
This vulnerability affects the following VMware products:
-VMware Pivotal Container Service (PKS)
-VMware vCloud Director Container Service Extension (CSE)
There will be no VMware Security Advisory since remediation for these products has already been documented in a separate advisory or the offering’s github page.
PKS – Fixed in 1.2.3
CSE – Fixed in 1.2.5
Photon OS – Fixed in 1.10.11-1 and 1.11.5-1
For our service offerings that use Kubernetes, mitigations are already in place which have closed down the critical severity attack vector associated with CVE-2018-1002105 while full remediation is in progress.