The malware affects the Go library called “containers/storage.” It is triggered when a malicious image is placed inside the registry, and a DoS condition is initiated when the image is pulled from the registry by an unwitting user. Malicious actors can jeopardize any containerized infrastructure that relies on vulnerable container engines like Kubernetes and OpenShift.
Kubernetes Kube-apiserver allows a remote authenticated attacker to bypass security restrictions that are caused when performing note updates. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass a Validating Admission Webhook.
Upgrade to the latest version of Kube-apiserver (1.18.18, 1.19.10, 1.20.6, 1.21.0 or later)