Security analysis of Kubernetes, Docker Swarm, and Apache Mesos Orchestrators based on CVE / MITRE

Abstract


The container usage has growing in the last years. Some containerized applications consists of a considerable number of containers which need to be managed. In this context, container orchestration is essential to conteinerized applications being managed efficiently. However, the orchestrators bring a new element which can introduce new vulnerabilities. Our article presents a security analysis of three key orchestrators: Docker Swarm, Kubernetes, and Apache Mesos. Our analysis is based in data from Common Vulnerabilities Exposure (CVEs) repository, being correlated to the major threats related by MITRE. Thus, we presented a matrix correlating the CVEs and MITRE threats in order to indicate the major impacts which one container manager needs to take into account related to risk mitigation.

Keywords: Kubernetes, Vulnerabilities, CVE, Security

References

Belagatti, P. (2019). ”Docker Swarm or Kubernetes?”: Is It the Right Question to Ask? https://dzone.com/articles/quotdocker-swarm-or-kubernetesquot-is-it-the-right.

Docker (2021a). Deploy to swarm. https://docs.docker.com/get-started/swarm-deploy/.

Docker (2021b). Engine api v1.24. https://docs.docker.com/engine/api/v1.24/.

Docker (2021c). Swarm mode key concepts. https://docs.docker.com/engine/swarm/key-concepts/.

Google Zero Project (2021). News and updates from the project zero team at google. https://googleprojectzero.blogspot.com/.

Hindman, B., Konwinski, A., Zaharia, M., Ghodsi, A., Joseph, A. D., Katz, R., Shenker, S., and Stoica, I. (2011). Mesos: A platform for ne-grained resource sharing in the data center. In 8th USENIX Symposium on Networked Systems Design and Implementation (NSDI 11), Boston, MA. USENIX Association.

Humayun, M., Niazi, M., Jhanjhi, N., Alshayeb, M., and Mahmood, S. (2020). Cyber security threats and vulnerabilities: A systematic mapping study. Arabian Journal for Science and Engineering, 45(4):3171–3189.

ISO (2009). Information technology – Security techniques – Information security management systems – Overview and vocabulary. Standard, International Organization for Standardization, Geneva, CH.

Kadivar, M. (2014). Cyber-attack attributes. Technology Innovation Management Review, 4:22–27.

Kronser, A. (2020). Common vulnerabilities and exposures : Analyzing the development of computer security threats. Master’s thesis, Helsingin yliopisto.

Kubernetes (2021). Kubernetes documentation. https://kubernetes.io/docs.

Malladi, S. S. and Subramanian, H. C. (2020). Bug bounty programs for cybersecurity: Practices, issues, and recommendations. IEEE Software, 37(1):31–39.

Manadhata, P. K. and Wing, J. M. (2011). An attack surface metric. IEEE Transactions on Software Engineering, 37(3):371–386.

Marathe, N., Gandhi, A., and Shah, J. M. (2019). Docker swarm and kubernetes in In 2019 3rd International Conference on Trends in cloud computing environment. Electronics and Informatics (ICOEI), pages 179–184.

McQueen, M., Wright, J. L., and Wellman, L. (2011). Are vulnerability disclosure deadlines justied? In 2011 Third International Workshop on Security Measurements and Metrics, pages 96–101.

Meyerson, J. (2016). Ben hindman on apache mesos. IEEE Software, 33(1):117–120.

MITRE (CVE) (2021). Cve details. https://www.cvedetails.com/.

MITRE (CVE Terminology) (2021). Cve terminology. https://cve.mitre.org/about/terminology.html.

MITRE (CWE) (2021). Common weakness enumeration (cwe). https://cwe.mitre.org/.

MITRE (CWSS) (2021). Common weakness scoring system (cwss). https://cwe.mitre.org/cwss/cwss_v1.0.1.html.

Mytilinakis, P. (2020). Attack methods and defenses on kubernetes. Master’s thesis, Departamento de sistemas digitais.

National Vulnerability Database (2021). The common vulnerability scoring system (cvss). https://nvd.nist.gov/vuln-metrics/cvss.

Ramel, D. (2020). Hackers turn kubernetes machine learning to crypto mining in azure cloud. https://virtualizationreview.com/articles/2020/06/24/azure-cloud-exploit.aspx.

Research, . (2020). The state of container and kubernetes security.

Theisen, C., Munaiah, N., Al-Zyoud, M., Carver, J. C., Meneely, A., and Williams, L. (2018). Attack surface denitions: A systematic literature review. Information and Software Technology, 104:94–103.

Trend Micro (2021). A empresa. https://www.trendmicro.com/.

Weizman, Y. (2021). Secure containerized environments with updated threat matrix for kubernetes.

Woody, C. and Ellison, R. J. (2020). Attack surface analysis reduce system and organizational risk. Technical report, Software Engineering Institute, Carnegie Mellon University.
Published
2021-10-04
JENSEN, Nikolas; MIERS, Charles Christian. Security analysis of Kubernetes, Docker Swarm, and Apache Mesos Orchestrators based on CVE / MITRE. In: WORKSHOP ON SCIENTIFIC INITIATION AND UNDERGRADUATE WORKS - BRAZILIAN SYMPOSIUM ON INFORMATION AND COMPUTATIONAL SYSTEMS SECURITY (SBSEG), 21. , 2021, Evento Online. Anais [...]. Porto Alegre: Sociedade Brasileira de Computação, 2021 . p. 151-163. DOI: https://doi.org/10.5753/sbseg_estendido.2021.17349.

Most read articles by the same author(s)

1 2 > >>