1464 개 항목 찾음

취약점

Kubernetes Misconfiguration: Static Authentication Token

YAML

Abstract

Kubernetes API 서버가 정적 토큰을 사용하여 요청을 인증합니다.

Explanation

Kubernetes API 서버는 전달자 토큰을 정적 토큰 파일에 보관된 목록과 비교하여 요청을 인증합니다. 토큰 파일은 기밀을 일반 텍스트로 저장하며 본질적으로 정적입니다. 정적 토큰 기반 인증은 무차별 대입 공격에 취약하며 잘못 구성된 환경에서 공격자에게 액세스 자격 증명을 유출할 수 있습니다. 토큰을 추가, 교체 또는 취소하려면 API 서버를 다시 시작해야 합니다.

예제 1: 다음 구성은 --token-auth-file 플래그를 사용하여 정적 토큰으로 요청을 인증하는 Kubernetes API 서버를 시작합니다.


...
spec:
  containers:
  - command:
    - kube-apiserver
    ...
    - --token-auth-file=<filename>
    ...

References

[1] Static Token File The Kubernetes Authors

[2] Standards Mapping - CIS Kubernetes Benchmark Recommendation 1.2.2

[3] Standards Mapping - Common Weakness Enumeration CWE ID 552

[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001958

[5] Standards Mapping - FIPS200 CM

[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-3 Device Identification and Authentication (P1), IA-8 Identification and Authentication (Non-Organizational Users) (P1)

[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-3 Device Identification and Authentication, IA-8 Identification and Authentication (Non-Organizational Users)

[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.9.1 Communications Architectural Requirements (L2 L3), 2.2.5 General Authenticator Requirements (L3), 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.3.1 Sensitive Private Data (L1 L2 L3), 8.1.6 General Data Protection (L3), 9.1.1 Communications Security Requirements (L1 L2 L3), 9.2.2 Server Communications Security Requirements (L2 L3), 14.4.5 HTTP Security Headers Requirements (L1 L2 L3)

[11] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication

[12] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[13] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management

[14] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[16] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[17] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection

[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3260.1 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3260 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3260 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3260 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3260 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3260 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3260 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001650 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001650 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001650 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001650 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001650 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001650 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001650 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001650 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001650 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001650 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001650 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001650 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001650 CAT II

[52] Standards Mapping - Web Application Security Consortium Version 2.00 Server Misconfiguration (WASC-14)

desc.structural.yaml.kubernetes_misconfiguration_static_authentication_token.base

Kubernetes Misconfiguration: Unbound Controller Manager

YAML

Abstract

Kubernetes 컨트롤러 관리자가 외부 연결을 수락합니다.

Explanation

Kubernetes 컨트롤러 관리자는 클러스터의 상태를 모니터링하고 필요한 경우 클러스터가 관리하는 모든 리소스를 변경할 수 있습니다. 기본적으로 컨트롤러 관리자는 외부 연결의 요청을 수락합니다. 외부 연결을 통해 공격자는 보안에 민감하지만 충분히 보호되지 않는 API에 액세스할 수 있습니다.

예제 1: 다음 구성은 바인딩 주소 없이 Kubernetes 컨트롤러 관리자를 시작합니다.


...
spec:
  containers:
  - command:
    - kube-controller-manager
    - --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf
    - --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf
    image: example.domain/kube-controller-manager:v1.9.7
    imagePullPolicy: IfNotPresent
    ...

References

[1] Kubernetes controller manager The Kubernetes Authors

[2] Standards Mapping - CIS Kubernetes Benchmark Recommendation 1.3.7

[3] Standards Mapping - Common Weakness Enumeration CWE ID 20

[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [3] CWE ID 020

[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [3] CWE ID 020

[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [4] CWE ID 020

[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [4] CWE ID 020

[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020

[9] Standards Mapping - FIPS200 CM

[10] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[11] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3)

[13] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[14] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[15] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[16] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[17] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[18] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection

[29] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 020

[30] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)

desc.structural.yaml.kubernetes_misconfiguration_unbound_controller_manager

Kubernetes Misconfiguration: Unbound Scheduler

YAML

Abstract

Kubernetes 스케줄러가 외부 연결을 허용합니다.

Explanation

Kubernetes 스케줄러는 Pod가 실행되는 위치를 결정합니다. 기본적으로 스케줄러는 외부 연결의 요청을 수락합니다. 외부 연결을 통해 공격자는 충분히 보호되지 않고 보안에 민감한 API에 액세스할 수 있습니다.

예제 1: 다음 구성은 바인딩 주소 없이 Kubernetes 스케줄러를 시작합니다.


...
spec:
  containers:
    - command:
      - kube-scheduler
    image: example.domain/kube-scheduler:v1.5.2
    imagePullPolicy: IfNotPresent
    ...

References

[1] Kubernetes Scheduler The Kubernetes Authors

[2] Standards Mapping - CIS Kubernetes Benchmark Recommendation 1.4.2

[3] Standards Mapping - Common Weakness Enumeration CWE ID 20

[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [3] CWE ID 020

[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [3] CWE ID 020

[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [4] CWE ID 020

[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [4] CWE ID 020

[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020

[9] Standards Mapping - FIPS200 CM

[10] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3)

[12] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[13] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[14] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[16] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[17] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection

[28] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 020

[29] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)

desc.structural.yaml.kubernetes_misconfiguration_unbound_scheduler

Kubernetes Misconfiguration: Unconfigured API Server Logging

YAML

Abstract

Kubernetes API 서버가 감사 이벤트를 기록하는 정책을 정의하지 않고 시작됩니다.

Explanation

감사 정책 파일이 지정되지 않은 경우 Kubernetes API 서버는 이벤트를 기록하지 않습니다. 이벤트 로그에는 보안 사고를 식별하고 정책 위반을 모니터링하며 거부 없음 제어를 지원하는 데 사용되는 중요한 데이터가 포함됩니다.

예제 1: 다음 구성은 --audit-policy-file 플래그 없이 Kubernetes API 서버를 시작합니다.


...
spec:
  containers:
  - command:
    - kube-apiserver
    - --audit-log-path=<the log file path>
  image: example.domain/kube-apiserver-amd64:v1.6.0
  ...

References

[1] Audit Policy The Kubernetes Authors

[2] Standards Mapping - CIS Kubernetes Benchmark Recommendation 3.2.1

[3] Standards Mapping - Common Weakness Enumeration CWE ID 778

[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172

[5] Standards Mapping - FIPS200 CM

[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)

[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation

[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)

[11] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[12] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[13] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[14] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[15] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring

[16] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10, Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2

[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking

[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking

[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3680.4 CAT II, APP3680.5 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3680.4 CAT II, APP3680.5 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3680.4 CAT II, APP3680.5 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3680.4 CAT II, APP3680.5 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3680.4 CAT II, APP3680.5 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3680.4 CAT II, APP3680.5 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3680.4 CAT II, APP3680.5 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000830 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000830 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000830 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000830 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000830 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000830 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000830 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000830 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000830 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000830 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000830 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000830 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000830 CAT II

[52] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)

desc.structural.yaml.kubernetes_misconfiguration_unconfigured_api_server_logging.base

Kubernetes Misconfiguration: Uncontrolled Kubelet Resource Consumption

YAML

Abstract

구성이 무제한 리소스 사용을 허용합니다.

Explanation

청구 가능 컴퓨팅 리소스에는 CPU 사용량, 메모리, 영구 저장소, 네트워크 연결을 비롯한 여러 항목이 포함됩니다. 리소스 사용량 제한이 없으면 공격자가 사용 가능 리소스를 모두 소진하거나 과도한 요금을 발생시키는 서비스 거부 상황을 야기할 수 있습니다.

References

[1] Standards Mapping - CIS Kubernetes Benchmark Recommendation 4.2.13

[2] Standards Mapping - Common Weakness Enumeration CWE ID 770

[3] Standards Mapping - Common Weakness Enumeration Top 25 2024 [24] CWE ID 400

[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094

[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)

[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection

[7] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption, API8 Security Misconfiguration

[8] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service

[9] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[10] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[11] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[12] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.3 - Web Software Attack Mitigation

[23] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 404

[24] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002400 CAT II

[47] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)

[48] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service

desc.structural.iac.misconfiguration_uncontrolled_resource_consumption.base

Kubernetes Misconfiguration: Weak etcd SSL Certificate

YAML

Abstract

etcd 인스턴스가 자체 서명된 인증서를 사용하는 클라이언트의 TLS 연결을 허용합니다.

Explanation

Kubernetes는 민감한 데이터를 etcd 클러스터에 보관합니다. 따라서 모든 etcd 인스턴스는 인증되고 권한 부여된 클라이언트의 연결만 수락하고 자체 서명된 인증서를 TLS 연결에 사용하는 클라이언트를 거부해야 합니다.

예제 1: 다음 구성은 etcd 인스턴스를 시작하고 --auto-tls 플래그를 true로 설정합니다. 결과적으로 etcd 인스턴스는 클라이언트와의 TLS 연결에 자체 서명된 인증서를 사용합니다.


...
spec:
  containers:
  - command:
...
    - etcd
    ...
    - --auto-tls=true
    ...

References

[1] Operating etcd clusters for Kubernetes The Kubernetes Authors

[2] etcd configuration etcd Authors

[3] Standards Mapping - CIS Kubernetes Benchmark Recommendation 2.3

[4] Standards Mapping - Common Weakness Enumeration CWE ID 296

[5] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287, [25] CWE ID 295

[6] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287

[7] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287

[8] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287

[9] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287

[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000166, CCI-000185, CCI-001941, CCI-001942

[11] Standards Mapping - FIPS200 CM

[12] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-10 Non-Repudiation (P2), IA-2 Identification and Authentication (Organizational Users) (P1), IA-5 Authenticator Management (P1), SC-17 Public Key Infrastructure Certificates (P1)

[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-10 Non-Repudiation, IA-2 Identification and Authentication (Organizational Users), IA-5 Authenticator Management, SC-17 Public Key Infrastructure Certificates

[15] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[16] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 9.2.1 Server Communications Security Requirements (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)

[17] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection

[18] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[19] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[20] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[21] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[22] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.9

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.4

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.4

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.4

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.4

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.4

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design

[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design

[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3305 CAT I

[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3305 CAT I

[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3305 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3305 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3305 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3305 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3305 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[56] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[57] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[58] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15), Insufficient Authentication (WASC-01)

[59] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication

desc.structural.yaml.kubernetes_misconfiguration_weak_etcd_ssl_certificate.base

Kubernetes Misconfiguration: Weak SSL Certificate for Kubelet

YAML

Abstract

이 Kubelet은 x509 인증서 정의가 없는 경우 TLS 연결에 자체 서명 인증서를 사용합니다.

Explanation

Kubelet 구성의 tlsCertFile 및 tlsPrivateKeyFile 필드는 HTTPS 요청을 처리하는 데 사용되는 x509 인증서를 정의합니다. 두 필드를 둘 다 제공하지 않으면 공용 주소에 대해 MITM(Man-In-The-Middle) 공격에 취약한 자체 서명 인증서 및 키가 생성됩니다.

예제 1: 다음 Kubelet 구성은 Kubelet이 TLS 연결용 자체 서명 인증서를 자동으로 생성하도록 tlsCertFile 및 tlsPrivateKeyFile 필드를 지정하지 않습니다.


apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration

References

[1] Set Kubelet parameters via a config file The Kubernetes Authors

[2] Kubelet The Kubernetes Authors

[3] Standards Mapping - CIS Kubernetes Benchmark Recommendation 4.2.9

[4] Standards Mapping - Common Weakness Enumeration CWE ID 311

[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-000166, CCI-001453, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123

[6] Standards Mapping - FIPS200 CM, SC

[7] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), AU-10 Non-Repudiation (P2), MA-4 Nonlocal Maintenance (P2), SC-8 Transmission Confidentiality and Integrity (P1)

[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, AU-10 Non-Repudiation, MA-4 Nonlocal Maintenance, SC-8 Transmission Confidentiality and Integrity

[10] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)

[12] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection

[13] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[14] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications

[15] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection

[16] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[17] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[18] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography

[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography

[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications

[31] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 319

[32] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311

[33] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311

[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260.1 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-000590 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-000590 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-000590 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[57] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)

[58] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage

desc.structural.yaml.kubernetes_misconfiguration_weak_ssl_certificate_for_kubelet

Kubernetes Terraform Misconfiguration: Improper DaemonSet Access Control

Abstract

구성이 적절한 액세스 제어를 적용하지 않습니다.

Explanation

중요한 리소스 액세스를 제어하지 않으면 중요한 데이터가 공개되거나 변조되는 등 조직이 다양한 방식으로 심각한 영향을 받을 수 있습니다.

References

[1] Open Web Application Security Project (OWASP) Authorization Cheat Sheet

[2] Standards Mapping - CIS Kubernetes Benchmark Recommendation 5.1.5

[3] Standards Mapping - Common Weakness Enumeration CWE ID 284

[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [25] CWE ID 862

[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862

[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [16] CWE ID 862

[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165

[8] Standards Mapping - FIPS200 AC

[9] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), AC-6 Least Privilege (P1), SC-3 Security Function Isolation (P1)

[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, AC-6 Least Privilege, SC-3 Security Function Isolation

[12] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3)

[14] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control

[15] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference

[16] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References

[17] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References

[18] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control

[19] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 1.4.2

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 1.4.2

[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[32] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 863

[33] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863

[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I

[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I

[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[57] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)

[58] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization

desc.structural.iac.misconfiguration_improper_access_control.base

Kubernetes Terraform Misconfiguration: Improper Deployment Access Control