Kubernetes was found to have three interconnected, high-severity security issues that may be used to remotely execute code with root rights on Windows endpoints in a cluster. All Kubernetes setups with Windows nodes are affected by the three vulnerabilities, CVE-2023-3676, CVE-2023-3893, and CVE-2023-3955, which have CVSS scores of 8.8. After Akamai made a responsible disclosure on July 13, 2023, fixes for the vulnerabilities were made available on August 23.
Tomer Peled, a security researcher with Akamai, explained the flaw in a technical article that was shared with The Hacker News. “The vulnerability allows remote code execution with SYSTEM privileges on all Windows endpoints within a Kubernetes cluster,” he said. A malicious YAML file must be applied to the cluster in order for the attacker to take use of this vulnerability.