In a recent post by ZDI, researchers found an out-of-bounds access flaw (CVE-2021-31440) in the Linux kernel’s (5.11.15) implementation of the eBPF code verifier: an incorrect register bounds calculation occurs while checking unsigned 32-bit instructions in an eBPF program. The flaw can be leveraged to escalate privileges and execute arbitrary code in the context of the kernel.
The Docker vs. Kubernetes debate is common in the containerization world. Although most people like comparing Kubernetes and Docker, the two technologies are not exchangeable—you cannot choose one over the other. They are essentially discrete technologies that can perfectly complement each other when creating, delivering, and scaling containerized applications. In fact, the best at par comparison would be Docker Swarm vs. Kubernetes, which we’ll talk about later.
Amazon Elastic Container Service (ECS) Anywhere enables you to simply run containers in whatever location makes the most sense for your business – including on-premises. Security is a key concern for organizations shifting to the cloud. Sysdig has validated our Secure DevOps platform with ECS Anywhere, giving AWS customers the security and visibility needed to run containers confidently on the new deployment model.
Since Google first introduced Kubernetes, it’s become one of the most popular DevOps platforms on the market. Unfortunately, increasingly widespread usage has made Kubernetes a growing target for hackers. To illustrate the scale of the problem, a Stackrox report found that over 90% of respondents had experienced some form of security breach in 2020. These breaches were due primarily to poorly-implemented Kubernetes security.
The CVE-2021-25737 low-level vulnerability has been found in Kubernetes kube-apiserver where an authorized user could redirect pod traffic to private networks on a Node. The kube-apiserver affected are: By exploiting the vulnerability, adversaries could be able to redirect pod traffic even though Kubernetes already prevents creation of Endpoint IPs in the localhost or link-local range.
In its mission to simplify building and running cloud-native applications for users, Amazon has announced the GA of AWS App Runner, a new purpose-built container application service. With security top of mind for most organizations shifting to the cloud, Sysdig has collaborated with AWS to enable threat detection for the new platform.
Fargate offers a great value proposition to AWS users: forget about virtual machines and just provision containers. Amazon will take care of the underlying hosts, so you will be able to focus on writing software instead of maintaining and upgrading a fleet of Linux instances. Fargate brings many benefits to the table, including small maintenance overhead, lower attack surface, and granular pricing. However, as any cloud asset, leaving your AWS Fargate tasks unattended can lead to nasty surprises.
