Welcome to the latest update on AKS (Azure Kubernetes Service) for Azure Stack HCI and Windows Server 2023, dated July 10, 2023. In this release, we are excited to introduce several significant enhancements and security updates that further solidify the stability and security of your AKS clusters.
Security Updates:
Security is paramount, and with this update, several critical vulnerabilities have been addressed:
- CVE-2023-2728: Bypassing enforce mountable secrets policy: This vulnerability allowed users to launch containers that bypassed the mountable secrets policy imposed by the ServiceAccount admission plugin. This issue has been fixed to ensure a secure environment.
- CVE-2023-27561, CVE-2023-25809, CVE-2023-28642: Runc Vulnerabilities: Runc has been upgraded from version 1.1.4 to 1.1.5 to rectify issues such as incorrect Access Control and Escalation of Privileges, providing a more secure container runtime environment.
- CVE-2022-3162: Unauthorized Read of Custom Resources: Users could read custom resources they were not authorized to access. This issue has been addressed to ensure proper access control of custom resources.
- CVE-2022-3172: Aggregated API Server SSRF: A potential SSRF issue in kube-apiserver allowed attackers to redirect client traffic to unauthorized URLs. It is essential to secure aggregated API servers to prevent such actions.
- CVE-2021-3121: GoGo Protobuf Issue: This vulnerability in GoGo Protobuf before version 1.3.2 could lead to the modification of system files and reduced performance. This issue has been resolved to maintain system integrity.
- CVE-2023-32681: Proxy-Authorization Header Leak: Requests were leaking Proxy-Authorization headers, potentially exposing sensitive information. This issue has been addressed to enhance security.
- CVE-2023-29491: Terminfo Database File Issue: Local users could trigger security-relevant memory corruption through malformed data in a terminfo database file. This issue is now resolved.
Bug Fixes
In addition to security updates, this release includes several important bug fixes to improve the overall stability and functionality of AKS:
- We fixed an issue where APIService objects for custom resources could be deleted and recreated during kube-apiserver start.
- Kubeadm reset now proceeds immediately to other phases if no etcd member ID is found for the peer during the remove-etcd-member phase.
- Various fixes were made to kubeadm, kubelet, kube-scheduler, and route controller, addressing issues related to resource management and event handling.
- Optimizations were made to load balancer creation, enhancing performance.
Conclusion
This update underscores the commitment to providing a secure and reliable Kubernetes service for Azure Stack HCI and Windows Server 2023. Explore these improvements and bug fixes to ensure your AKS clusters are running at their best.
Remember, you can try AKS on Azure Stack HCI or Windows Server at any time, even without physical hardware, by following our evaluation guide to set up AKS on a Windows Server Azure VM. Stay tuned for more updates and enhancements in the future as AKS continues to evolve and improve to meet your needs.
Get in Touch!
Are you ready to supercharge your hybrid cloud strategy? We’re here to help. Email us at sales@hcistacksservices.com or tony@hcistacksservices.com to discuss how this powerful technology can benefit your business.