All Products
Search

This Product

    Container Service for Kubernetes:Vulnerability fixed: CVE-2018-1002105 in Kubernetes

    Document Center

    Container Service for Kubernetes:Vulnerability fixed: CVE-2018-1002105 in Kubernetes

    Last Updated:Feb 27, 2026

    Alibaba Cloud has fixed vulnerability CVE-2018-1002105 for Container Service for Kubernetes (ACK). This critical privilege escalation vulnerability allows attackers to send requests through an established API server connection to access backend services. Upgrade your clusters immediately through the ACK console.

    Affected versions

    The following Kubernetes versions are affected:

    • Kubernetes v1.0.x through v1.9.x

    • Kubernetes v1.10.0 through v1.10.10 (fixed in v1.10.11)

    • Kubernetes v1.11.0 through v1.11.4 (fixed in v1.11.5)

    • Kubernetes v1.12.0 through v1.12.2 (fixed in v1.12.3)

    Affected cluster configurations

    Your ACK cluster is affected if either of the following conditions is true:

    • Extension API server connections: An extension API server is configured in the cluster and can directly connect to kube-apiserver. An attacker with access to the aggregation API can escalate privileges to the extension API server.

    • Pod exec/attach/port-forward exposure: The Pod exec, attach, or port-forward interface is exposed to users. An attacker can exploit this vulnerability to gain full permissions on the kubelet API.

    ACK default security posture

    ACK clusters include the following security configurations by default:

    • Role-based access control (RBAC) enabled: RBAC is enabled by default for API servers in ACK clusters. Anonymous users who are not authorized by Alibaba Cloud accounts cannot call certain APIs.

    • kubelet anonymous authentication disabled: The anonymous-auth=false flag is set in the kubelet startup parameters to prevent unauthorized external access.

    • Aggregation API restricted: By default, Resource Access Management (RAM) users who are not authorized by Alibaba Cloud accounts cannot access the Aggregation API.

    Note

    RAM users in multi-tenant ACK clusters can perform unauthorized access through the Pod exec/attach/port-forward interface. If your cluster has only administrator accounts, you are not affected by this attack vector.

    Fixes

    Log on to the ACK console and upgrade your clusters. For more information, see Update an ACK cluster or update only the control planes or node pools in an ACK cluster.

    Choose the upgrade path based on your current Kubernetes version:

    Current versionUpgrade toNotes
    Kubernetes 1.11.21.11.5Direct upgrade
    Kubernetes 1.10.41.10.11 or 1.11.5Direct upgrade
    Kubernetes 1.9 or earlier1.10.11 or 1.11.5Upgrade FlexVolume first if cloud disks are mounted

    Upgrade FlexVolume before upgrading from Kubernetes 1.9

    If you are upgrading from Kubernetes 1.9 or earlier to 1.10 or 1.11 and cloud disks are mounted to your cluster, upgrade the FlexVolume component first:

    1. Log on to the ACK console and select the target cluster.

    2. In the navigation pane, choose More > Upgrade System Component.

    3. On the Upgrade System Component page, select flexvolume and click Upgrade.

    ACK Serverless clusters

    ACK Serverless clusters are not affected. The security of ACK Serverless clusters was reinforced before this vulnerability was introduced.

    Background

    The Kubernetes community disclosed CVE-2018-1002105, a privilege escalation vulnerability in the Kubernetes API server. An attacker can exploit this vulnerability by sending specially crafted requests through an already-established connection to the API server, escalating privileges to reach backend services such as the kubelet API or an extension API server.

    For details about CVE-2018-1002105, see CVE-2018-1002105.