We are releasing K10 v2.0.4 today to address three High / Critical severity vulnerabilities reported by the Envoy security team on December 10. These issues can allow untrusted remote clients to crash Envoy or gain privileges that they should not have. Kasten K10, our data management platform that is purpose-built for Kubernetes provides enterprise operations teams an easy-to-use, scalable, and secure system for backup/restore, disaster recovery, and mobility of Kubernetes applications. Just like Istio and a host of other applications, K10 also has a dependency on Envoy given our use of Ambassador (props to the Ambassador team on getting their bug-fix release out so quickly too!) to route traffic into our platform.
Given the severity of the CVEs, we recommend that all Kasten K10 users should upgrade as soon as possible. You can upgrade to the latest version of K10 by following the instructions outlined here.
The details of the Common Vulnerabilities and Exposures (CVEs) that are addressed in this release include:
Given our enterprise focus, we have a strict definition of response times for CVEs at different severity. We also scan all our container images for vulnerabilities like the above to help us catch these issues early.
However, this is simply not an issue of great security hygiene and moving quickly in response to High or Critical CVEs. We have done a lot of work internally on our engineering infrastructure to always have our master branch ready to release with a very extensive test framework and 100% test automation. Our deep test pipeline that validates every commit and release on multiple public clouds, against the Container Storage Interface (CSI), with on-premises distributions such as OpenShift, multiple applications representative of customer deployments, upgrades from previous K10 releases, and more. All of this infrastructure we have invested heavily in is what allows us to not just release regularly on a two-week cadence with confidence but also turn around security-related releases very quickly.
-The Kasten Team
Pure Storage Kubernetes and Kasten K10: Raising the Bar for Kubernetes Backup and Mobility
Kasten K10 via VMware Cloud Marketplace
EKS Disaster Recovery with Kasten K10 for Kubernetes
Extending Kubernetes Application Backup and Mobility to the Edge with Kasten K10 V4.5
Kasten K10 Delivers Software AG ARIS Backup and DR
Gaurav Rishi is the VP of Product and Partnerships at Kasten by Veeam. He is at the forefront of several Kubernetes ecosystem partnerships and has been a frequent speaker and author on cloud-native innovations. He previously led Strategy and Product Management for Cisco's Cloud Media Processing business. In addition to launching multiple products and growing them to >$100M in revenues, he was also instrumental in several M&A transactions. Gaurav is a computer science graduate and has an MBA from the Wharton School.
For information about Kasten K10, please send us a message using the form on this page, or email us at firstname.lastname@example.org
8800 Lyra Drive, Suite 450
Columbus, Ohio 43240
We value the critical role that the security community plays in helping us protect the confidentiality, integrity, and availability of our software, services, and information. If you have information about security vulnerabilities that affect Kasten software, services, or information, please report it to us via our HackerOne Vulnerability Disclosure Program, or anonymously via this form.