Kubernetes in GovCloud: patch and scan priority
Federal briefings urge integrating real‑time vulnerability scanning and automated compliance checks into CI/CD for containerized and Kubernetes workloads—especially after new KEV listings and the Oracle RCE that threaten federated identity sidecars. The guidance frames container image scanning, SBOM validation, and automated mitigation as immediate operational requirements for AWS GovCloud/IL deployments. (thehackernews.com) (x.com)
CISA added five CVEs to the KEV catalog on March 20, 2026: CVE‑2025‑31277, CVE‑2025‑32432, CVE‑2025‑43510, CVE‑2025‑43520, and CVE‑2025‑54068. ( cisa.gov ) Public reporting shows CVE‑2025‑32432 (Craft CMS) carries a CVSSv3 base score of 10.0 and CVE‑2025‑54068 (Laravel Livewire) a 9.8, while multiple Apple flaws in the KEV batch registered scores in the 8+ range. ( thehackernews.com ) Oracle published an out‑of‑band Security Alert for CVE‑2026‑21992 on March 19–21, 2026, describing an unauthenticated remote‑code‑execution flaw in Oracle Identity Manager and Oracle Web Services Manager with a CVSSv3 score of 9.8. ( oracle.com ) Security vendors confirmed the urgency of CVE‑2026‑21992 and flagged Oracle’s emergency fix as evidence of elevated risk to identity infrastructure, noting the advisory was issued outside Oracle’s regular quarterly CPU cycle. ( tenable.com ) Oracle’s earlier Identity Manager auth‑bypass RCE CVE‑2025‑61757 was added to KEV in November 2025 with an associated federal remediation deadline in December 2025, and NVD listings show the flaw affects OIM REST WebServices in versions 12.2.1.4.0 and 14.1.2.1.0. ( intruvent.com )( nvd.nist.gov ) Sidecar OIDC/OAuth proxies used as Kubernetes sidecars (examples: Wonderwall and oauth2‑proxy patterns) hold and relay identity tokens for workloads, making IdP compromise an immediate vector to forge or misuse workload identities; published sidecar analyses show local proxy trust can expose the mesh to identity takeover. ( github.com )( instatunnel.my ) AWS tooling and federal compliance documents provide concrete automation paths: Amazon Inspector can generate SBOMs in CycloneDX/SPDX and integrate image scans into CI/CD pipelines, while FedRAMP’s container vulnerability‑scanning guidance and vendor solutions (Anchore, Qualys) define the 30‑day scanning cadence and CI/CD gating patterns expected for authorized systems. ( docs.aws.amazon.com )( fedramp.gov )( anchore.com ) CISA’s BOD 22‑01 remains the binding mechanism for KEV remediation timelines, and federal/DOD GovCloud baselines (AWS compliant framework for GovCloud IL4/IL5) and supplier SBOM practices should be used to automate KEV ingestion, CI/CD image‑blocking, and emergency patch orchestration for Identity Manager exposures. ( cisa.gov )( github.com )( media.defense.gov )
