Application exploit (RCE)

Framework

MITRE, AllControls

Severity

Critical

Description of the the issue

An application that is deployed in the cluster and is vulnerable to a remote code execution vulnerability, or a vulnerability that eventually allows code execution, enables attackers to run code in the cluster. If service account is mounted to the container (default behavior in Kubernetes), the attacker will be able to send requests to the API server using this service account credentials.

Related resources

CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet, services

What does this control test

Searching the image from pod spec in the vulnerability scan database, if there is at least one high vulnerability we raise an alert.

Remediation

Patch your container with a version that does not have this vulnerability or use ARMO runtime protection (sign the workload).

Example

No example