C-0084 - Workloads with RCE vulnerabilities exposed to external traffic
Framework
Severity
High
Description of the the issue
Container images with known Remote Code Execution (RCE) vulnerabilities pose significantly higher risk if they are exposed to the external traffic. This control lists all images with such vulnerabilities if their pod has either LoadBalancer or NodePort service.
Related resources
Pod, Service
What does this control test
This control enumerates external facing workloads, that have LoadBalancer or NodePort service and checks the image vulnerability information for the RCE vulnerability.
Remediation
Either update the container image to fix the vulnerabilities (if such fix is available) or reassess if this workload must be exposed to the outseide traffic. If no fix is available, consider periodic restart of the pod to minimize the risk of persistant intrusion. Use exception mechanism if you don't want to see this report again.
Example
@controls/examples/c84.yaml
Updated 3 months ago