For our fourth post in this series, we delve into some of the details of Kubernetes (K8s) vulnerabilities. This post assumes that readers understand how we selected and grouped the vulnerabilities – covered in Part 2. As a brief reminder, charts referencing “K8s” refer to those vulnerabilities that are directly or closely related to the Kubernetes project technology while charts referencing “K8s Dist” or just “Dist” refer to implementations (e.g. RedHat’s OpenShift or Rancher’s Kubernetes enterprise distributions).
Kubernetes CVSS Distribution
Kubernetes vulnerabilities first show up in the CVE database starting with the 2015-named cohort. Comparing the k8s platform and k8s distribution (Dist) vulnerabilities’ CVSSv3 score1 categories across the relevant named years (2015-2020) with the CVSSv32 score category distribution of all published CVEs in those same cohorts, we find that both k8s groups’ CVE scores tend to be overall rated less severe than the general population of vulnerabilities; and, that the k8s group is noticeably less severe than the k8s Dist group.
Looking a little more granularly at Kubernetes vulnerabilities in each yearly cohort, we can see that the total number of k8s published CVEs has been trending higher and that the number of vulnerabilities related to configuration/distribution (Dist) problems has overtaken the number of vulnerabilities directly related to the k8s project.
This surge from 2017 to 2019 is in line with the rapid increase in interest in the Kubernetes technology and its increasing rate of adoption into the DevOps community. The differing distribution of CVSS scores from year to year does not yet appear to be providing a meaningful pattern. Compared to the distribution of CVSS scores among all CVEs, it is interesting to note that whereas the High/Critical categories of all CVEs account for >50% of the CVSS distribution since 2016, it appears as though the case is the opposite for k8s CVEs. In 2018, High/Critical categories made up >50% of k8s CVEs, but it has gotten progressively smaller moving through 2019 and 2020 with most High/Critical vulnerabilities due to configuration/implementation issues.
As described in an earlier technical paper, CYR3CON uses CyRating – a risk measurement that reflects the current real-world threat to vulnerabilities – to predict vulnerabilities at real-world risk of exploitation. CyRating scores scale from 1.00 to 38.46 where a vulnerability with a CyRating of 10.00 is 10x more likely to be exploited than a vulnerability with a CyRating of 1.00. As the relative likelihood that a vulnerability will be exploited by hackers, CyRating calculations are driven by threat intelligence obtained from various sources such as hacker-community data collected from the darkweb, deepweb, social media, and other open sources.
Comparing the Kubernetes CVEs’ distribution of CyRating with all CVEs of the relevant 2015-2020 cohorts, we see a very similar 70/30 split at the CyRating value of 5. Above 5, the distribution differs with a much smaller percentage of k8s vulnerabilities rated at the highest real-world risk compared to all 2015-2020 CVEs.
If we look across the yearly cohorts of interest, it is interesting to note the percentage of CVEs that have a CyRating >=5. We see that the portion of Kubernetes vulnerabilities seems to be steadily rising. For all CVEs, the numbers show moderate variance from 2015-2019, but then show a notable rise with 2020.
The examination of these data might be summarized as follows. First, the number of Kubernetes CVEs was low from 2015-2017, but then there was a marked increase across the most recent three years (2018-2020). Second, while the CVSSv3 scores of all CVEs from 2016-2020 track consistently near a 40/60 split across the combined categories Low-Medium/High-Critical, Kubernetes CVEs have bucked this trend with an overall clear majority of vulnerabilities falling in the Low-Medium categories. Third, not only did the number of Kubernetes CVEs markedly increase from 2018-2020, but the real-world risk posed by these vulnerabilities increased (despite the relatively lower CVSSv3 scores) as evidenced by the increasing percentage of annual k8s CVEs that have a CyRating >5 which reflects hackers’ increasing interest in the Kubernetes technology and its importance in the modern application infrastructure.
CYR3CON helps teams prioritize vulnerabilities and prevent breaches. Contact us today to learn how we have become the most accurate, peer-reviewed, predictor of weaponized exploits.
ATT&CK and Vulnerability Management Part 5: Disrupting Attack Sequences through Vulnerability Management
Docker/Kubernetes Part 6: Common Weakness Enumeration (CWE)
ATT&CK and Vulnerability Management Part 4: Using Intelligence to Generate Attack Sequences
ATT&CK and Vulnerability Management Part 3: Considerations in Aligning CVEs and ATT&CK Techniques