Top cloud-native CVEs of 2024: A Comprehensive Recap

In 2024, several significant vulnerabilities were identified within the Kubernetes and broader cloud-native ecosystem. In this post we have compiled a roundup of the most notable Common Vulnerabilities and Exposures (CVEs) reported this year.

Kubernetes Core Vulnerabilities

CVE-2024-9486: Default Credentials in Kubernetes Image Builder

• Severity: Critical
• Description: VM images built with Kubernetes Image Builder versions ≤ v0.1.37 had default credentials enabled, potentially allowing unauthorized root access to nodes.
• Mitigation: Update to Image Builder v0.1.38 or later and rebuild VM images without default credentials.
• Related: CVE-2024-9594, affects Nutanix, OVA, QEMU, and raw providers in a similar way. It received a lower severity since it is only exploitable if an attacker can access the VM during the build.

CVE-2024-10220: Arbitrary Command Execution via gitRepo Volumes

• Severity: High
• Description: A security flaw in Kubernetes allowed users with pod creation privileges to execute arbitrary commands on the host by associating a gitRepo volume containing malicious hooks.
• Affected Versions: Kubelet versions through 1.28.11, 1.29.0 through 1.29.6, and 1.30.0 through 1.30.2.
• Mitigation: Upgrade to patched versions and restrict pod creation permissions to trusted users.

Cloud-Native Ecosystem Vulnerabilities

CVE-2024-3094: Backdoor in XZ Utils

• Severity: High
• Description: A backdoor discovered in xz-utils exposed systems to potential unauthorized access and remote code execution.
• Mitigation: Apply patches provided by the xz-utils maintainers and verify the integrity of installed packages.

CVE-2024-6387: RCE Vulnerability in OpenSSH Server

• Severity: High
• Description: This flaw allows remote unauthenticated code execution with root privileges by exploiting a signal handler race condition in the SSH server (sshd).
• Affected Versions: 8.5p1 to 9.8p1 on glibc-based Linux systems14.
• Mitigation: Update OpenSSH to version 9.8p1 or later. If immediate update is not possible, set LoginGraceTime to 0 in sshd_config as a temporary mitigation, but be aware this may introduce potential DoS vulnerabilities.

CVE-2024-7646: Ingress-NGINX Annotation Validation Bypass

• Severity: High
• Description: This flaw enables users with permissions to create Ingress objects to inject arbitrary commands and obtain the ingress-nginx controller’s credentials, potentially granting access to all secrets in the cluster.
• Affected Versions: ingress-nginx controller versions prior to v1.11.2 and v1.10.4.
• Mitigation: Update ingress-nginx controller version 1.11.2 or later, or 1.10.4 or later.

CVE-2024-45806: Header Manipulation in Envoy Proxy

• Severity: Medium
• Description: A vulnerability in Envoy allowed external clients to manipulate headers, potentially leading to unauthorized access or other malicious actions.
• Mitigation: This issue has been addressed in versions 1.31.2, 1.30.6, 1.29.9, and 1.28.7. Users are advised to upgrade.

K8s Security – The Ultimate Guide

Dive deep into the ever evolving landscape of Kubernetes security, explore best practices, and discover potential pitfalls.

Learn More

Learn More

Security Trends in 2024

Numerical analysis

To analyze vulnerability trends in Kubernetes and its ecosystem, we conducted queries on the National Vulnerability Database (NVD) website*. We found that in the past year, 81 vulnerabilities were identified in Kubernetes and the cloud-native ecosystem. These vulnerabilities represent 22.7% of all vulnerabilities ever found in this ecosystem. While the number of vulnerabilities discovered in Kubernetes itself has remained relatively stable, there has been an increase in vulnerabilities within the broader cloud-native ecosystem. 

Kubernetes	Cloud-Native

While the numbers in this ecosystem seem unimpressive, we must account for this year being a record year for vulnerabilities overall with the total number of reports growing from 28,817 to 38,958.

_{*This analysis was conducted in mid-December 2024, and the final year-end results may vary as additional vulnerabilities could be discovered or reported before the year’s conclusion. Readers should interpret these findings as a snapshot of the current vulnerability landscape rather than a definitive annual assessment.}

Material analysis

Increased focus on supply chain security – CVE-2024-9486 and CVE-2024-9594 highlight vulnerabilities in the Kubernetes Image Builder, emphasizing the need for secure image creation and validation processes.

Persistent threats in core components – CVE-2024-10220 exposed a critical flaw in the Kubelet, demonstrating that even core Kubernetes components remain vulnerable to exploitation48.

Rising importance of access control – Multiple vulnerabilities, including CVE-2024-7646 and CVE-2024-10220, underscore the critical need for robust access control mechanisms and the principle of least privilege.

Continued relevance of traditional security issues – CVE-2024-6387 in OpenSSH shows that even well-established technologies can harbor significant vulnerabilities, emphasizing the need for ongoing vigilance and patching.

Recommendations for a secure 2025

• Regular Updates: Ensure all components within your Kubernetes and cloud-native stack are up-to-date with the latest security patches.
• Access Controls: Implement strict role-based access controls (RBAC) to limit permissions to only those necessary for users and services.
• Vulnerability Scanning: Continuously scan your environments for known vulnerabilities using reputable tools and address any findings promptly.
• Community Engagement: Stay informed by participating in community discussions and monitoring official security advisories related to Kubernetes and associated projects.
• Increased adoption of cloud-native security solutions: Ensure that the solutions you choose in 2025 provide the context necessary to best support the complex security needs of cloud-native applications from development to runtime.
• Adoption of zero-trust architectures: The vulnerabilities discovered reinforce the trend towards implementing zero-trust security models in cloud-native environments.
• Enhanced network security through microsegmentation: This approach is gaining traction to isolate workloads and prevent lateral movement of threats within Kubernetes clusters.

By adhering to these practices, organizations can enhance their security posture and better protect their cloud-native environments against evolving threats.

Don’t wait for the next vulnerability to compromise your infrastructure. Watch an ARMO Platform demo today and learn how you can transform your Kubernetes security from reactive to proactive. 

Unifying AppSec, CloudSec and DevSec

The only runtime-driven, open-source first, cloud security platform:

Continuously minimizes cloud attack surface

Secures your registries, clusters and images

Protects your on-prem and cloud workloads

Powered by Kubescape & eBPF

See ARMO in Action