A critical vulnerability in Kubernetes open-source system for handling containerized applications can enable an attacker to gain full administrator privileges on Kubernetes compute nodes . Kubernetes makes it easier to manage a container environment by organizing application containers into pods , nodes ( physical or virtual machines ) and clusters . Multiple nodes form a cluster , managed by a master that coordinates cluster-related activities like scaling , scheduling , or updating apps . Each node has an agent called Kubelet that facilitates communication with the Kubernetes master via the API . The number of nodes available in a Kubernetes system can be hundreds and even thousands . Pulling this off is easy on default configurations , where `` all users ( authenticated and unauthenticated ) are allowed to perform discovery API calls that allow this escalation , '' says Jordan Liggitt , staff software engineer at Google . The security bug was discovered Vulnerability-related.DiscoverVulnerability by Darren Shepherd , co-founder of Rancher Labs company that provides the Kubernetes-as-a-Service solution called Rancher . Now tracked as Vulnerability-related.DiscoverVulnerability CVE-2018-1002105 , the flaw is critical , with a Common Vulnerability Scoring System ( CVSS ) score of 9.8 out of 10 . According to the latest version of the vulnerability severity calculator , exploiting the security glitch has low difficulty and does not require user interaction . Red Hat 's OpenShift Container Platform uses Kubernetes for orchestrating and managing containers is also impacted Vulnerability-related.DiscoverVulnerability by the vulnerability . In an advisory on the matter , the company explains that the flaw can be used in two ways against its products . One involves a normal user with 'exec , ' 'attach , ' or 'portforward ' rights over a Kubernetes pod ( a group of one or more containers that share storage and network resources ) ; they can escalate their privileges to cluster-admin level and execute any process in a container . The second attack method exploits the API extension feature used by ‘ metrics-server ’ and ‘ servicecatalog ’ in OpenShift Container Platform , OpenShift Online , and Dedicated . No privileges are required and an unauthenticated user can get admin rights to any API extension deployed to the cluster . `` Cluster-admin access to ‘ servicecatalog ’ allows creation of service brokers in any namespace and on any node , '' the advisory details . The problem has been addressed Vulnerability-related.PatchVulnerability in the latest Kubernetes revisions : v1.10.11 , v1.11.5 , v1.12.3 , and v1.13.0-rc.1 . Kubernetes releases prior to these along with the products and services based on them are affected Vulnerability-related.DiscoverVulnerability by CVE-2018-1002105 . Red Hat released Vulnerability-related.PatchVulnerability patches for the OpenShift family of containerization software ( OpenShift Container Platform , OpenShift Online , and OpenShift Dedicated ) and users received Vulnerability-related.PatchVulnerability service updates they can install at their earliest convenience . The software company warns that a malicious actor could exploit the vulnerability to steal Attack.Databreach data or inject malicious code , as well as `` bring down production applications and services from within an organization ’ s firewall . ''

Microsoft released Vulnerability-related.PatchVulnerability a security update designed to patch Vulnerability-related.PatchVulnerability remote code execution ( RCE ) and information disclosure vulnerabilities in its Microsoft Exchange Server 2019 , 2016 , and 2013 products . The RCE security issue is being tracked as Vulnerability-related.DiscoverVulnerability CVE-2019-0586 and according to Microsoft 's advisory it exists because `` the software fails to properly handle objects in memory . '' Attackers can run code as System user Following a successful attack of a vulnerable Microsoft Exchange Server installations , potential attackers would be able to take advantage of System user permissions . An attacker who successfully exploited Vulnerability-related.DiscoverVulnerability the vulnerability could run arbitrary code in the context of the System user . An attacker could then install programs ; view , change , or delete data ; or create new accounts . In order to exploit the CVE-2019-0586 vulnerability , attackers have to send Attack.Phishing maliciously crafter emails to a vulnerable Exchange server . The issue has been addressed Vulnerability-related.PatchVulnerability by changing the way Microsoft Exchange handles objects in memory . The information disclosure Microsoft Exchange Server vulnerability was assigned Vulnerability-related.DiscoverVulnerability the CVE-2019-0588 tracking id and it is caused by the way Microsoft Exchange 's `` PowerShell API grants calendar contributors more view permissions than intended . '' To exploit this vulnerability , an attacker would need to be granted contributor access to an Exchange Calendar by an administrator via PowerShell . The attacker would then be able to view additional details about the calendar that would normally be hidden . The CVE-2019-0588 , security vulnerability was fixed Vulnerability-related.PatchVulnerability by correcting the way Exchange 's PowerShell API grants permissions to contributors . Microsoft rated the two vulnerabilities as 'Important ' Microsoft assigned an Important severity level to both security issues and , until their public disclosure , no mitigation factors or workarounds have been found . On servers that are using user account control ( UAC ) the update may fail to install if the update packages are run without Administrator privileges .