Greetings from the VMware Security Response Center!

Yesterday Kubernetes disclosed CVE-2018-1002105 – a critical severity vulnerability in the Kubernetes API server. For more details on the vulnerability please see Kubernetes’ announcement here:

This vulnerability affects the following VMware products:

-VMware Pivotal Container Service (PKS)
-VMware vCloud Director Container Service Extension (CSE)
-Photon OS

There will be no VMware Security Advisory since remediation for these products has already been documented in a separate advisory or the offering’s github page.

Remediation Information:

PKS – Fixed in 1.2.3

CSE – Fixed in 1.2.5

Photon OS – Fixed in 1.10.11-1 and 1.11.5-1

For our service offerings that use Kubernetes, mitigations are already in place which have closed down the critical severity attack vector associated with CVE-2018-1002105 while full remediation is in progress.