A high-severity vulnerability (CVE-2024-56513) has been identified in Karmada (Kubernetes Armada), a management platform designed to facilitate cloud-native applications across multiple Kubernetes clusters and clouds. This flaw, which has been assigned a CVSSv4 score of 8.7, poses a severe threat to systems utilizing Karmada’s PULL mode clusters.
The CVE-2024-56513 vulnerability lies in the excessive privileges granted to PULL mode clusters registered via the karmadactl register command. These clusters, intended to streamline multi-cloud and hybrid cloud application management, inadvertently expose critical control plane resources. An attacker able to authenticate as the karmada-agent could exploit these permissions to gain administrative control over the entire federation system, including all member clusters.
Such privilege escalation could lead to:
- Unauthorized access to sensitive configuration data.
- Manipulation or disruption of application traffic scheduling.
- Potential lateral attacks across member clusters.
The vulnerability affects all versions of Karmada prior to 1.12.0. Karmada has released version 1.12.0, which includes a patch for this vulnerability. Users are strongly advised to upgrade to this version or a later version as soon as possible.
For users unable to immediately upgrade, Karmada’s Component Permissions Documentation provides guidance on restricting PULL mode cluster access permissions. Implementing these configurations can reduce the risk of exploitation until a full upgrade is feasible.
Related Posts:
- Evolving Cryptojacking Campaign Targets Misconfigured Kubernetes Clusters
- OpenAI Services Hit by Major Outage Due to Telemetry Service Deployment
