CVE-2024-7598 is a race condition vulnerability in Kubernetes namespace termination that can allow an attacker to bypass network restrictions within Azure-hosted clusters. During the brief window when a namespace is being deleted, network policies may not be correctly enforced, potentially permitting unauthorised traffic between pods or services. This matters because it could allow lateral movement or data exfiltration in multi-tenant or segmented environments.

Architect’s Take: Review any workloads relying solely on Kubernetes network policies for isolation in Azure Kubernetes Service (AKS); consider supplementing with Azure Network Security Groups or Calico-enforced policies and monitor for unexpected cross-namespace traffic, particularly during namespace lifecycle events. Apply any available patches or mitigations from Microsoft promptly.

Original advisory: CVE-2024-7598 Network restriction bypass via race condition during namespace termination

CVE-2020-8561 is a vulnerability in the Kubernetes API server (kube-apiserver) that allows an attacker to redirect webhook traffic, potentially enabling server-side request forgery (SSRF) against internal network resources. By manipulating admission webhook configurations, a malicious actor could cause the API server to make requests to arbitrary internal endpoints, bypassing network controls. This affects Azure Kubernetes Service (AKS) and any Kubernetes environment where untrusted users can modify webhook configurations.

Architect’s Take: Review and restrict who has permission to create or modify ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects in your Kubernetes clusters — limit this to highly trusted administrators only. Audit existing webhook configurations for unexpected or suspicious target URLs, and consider network policies that restrict where the kube-apiserver can make outbound connections.

Original advisory: CVE-2020-8561 Webhook redirect in kube-apiserver