Analysis Summary

Microsoft researchers have discovered that threat actors are actively exploiting misconfigured Apache Pinot instances deployed on Kubernetes, exposing sensitive data due to insecure default configurations.

Apache Pinot is an open-source real-time analytics platform used by major organizations such as Walmart, Uber, Slack, LinkedIn, Wix, and Stripe. It is designed for fast, low-latency querying of large datasets. However, Microsoft’s investigation revealed that the official documentation fails to alert users to the security risks of its default setup when deployed via Kubernetes.

The default configuration of Apache Pinot exposes its core components to the internet through Kubernetes LoadBalancer services, and lacks any built-in authentication. This creates a serious vulnerability: unauthenticated attackers can access the Pinot dashboard, query sensitive data, and manipulate workloads.

Microsoft observed real-world attacks targeting these insecure deployments, with attackers successfully gaining access to data. The company emphasized that the issue lies not just with Pinot, but with a broader trend of misconfigured containerized applications that rely on insecure default settings.

The research further highlighted a related vulnerability in Meshery, an engineering platform used for managing cloud infrastructure. In Meshery’s case, attackers can execute arbitrary code and gain control of backend resources if they gain access to the externally exposed application interface. Microsoft advises mitigating this risk by restricting access to internal networks.

In conclusion, Microsoft stresses that many exploits of containerized applications stem from poor configuration practices, particularly the use of default settings without proper authentication. The company urges developers and administrators to review and secure their Kubernetes workloads to prevent exposure and potential compromise.

Impact

• Sensitive Data Exposure
• Unauthorized Access
• Data Manipulation

Remediation

• Regularly audit and review Kubernetes configurations for misconfigurations.
• Monitor network traffic for unauthorized access attempts or anomalies.
• Implement strong authentication and authorization mechanisms for all interfaces.
• Disable default public exposure of Apache Pinot components via Kubernetes LoadBalancer.
• Restrict access to Apache Pinot dashboards to internal or trusted networks.
• Avoid using default settings; customize configurations to meet security best practices.
• Secure Meshery by limiting its access to internal IPs and networks only.
• Apply principle of least privilege to services and user roles.
• Use firewall rules and network policies to isolate sensitive workloads.
• Keep software components, including Pinot and Meshery, up to date with security patches.
• Conduct routine vulnerability assessments and penetration testing.