Date: Thu, 10 Nov 2022 09:25:36 -0800 From: Tim Allclair <timallclair@...il.com> To: oss-security@...ts.openwall.com Subject: [kubernetes] CVE-2022-3162: Unauthorized read of Custom Resources Hello Kubernetes Community, A security issue was discovered in Kubernetes where users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group without authorization. This issue has been rated Medium ( CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N <https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N>), and assigned CVE-2022-3162 Am I vulnerable? Clusters are impacted by this vulnerability if all of the following are true: 1. There are 2+ CustomResourceDefinitions sharing the same API group 2. Users have cluster-wide list or watch authorization on one of those custom resources. 3. The same users are not authorized to read another custom resource in the same API group. Affected Versions - Kubernetes kube-apiserver <= v1.25.3 - Kubernetes kube-apiserver <= v1.24.7 - Kubernetes kube-apiserver <= v1.23.13 - Kubernetes kube-apiserver <= v1.22.15 How do I mitigate this vulnerability? Upgrading the kube-apiserver to a fixed version mitigates this vulnerability. Prior to upgrading, this vulnerability can be mitigated by avoiding granting cluster-wide list and watch permissions. Fixed Versions - Kubernetes kube-apiserver v1.25.4 - Kubernetes kube-apiserver v1.24.8 - Kubernetes kube-apiserver v1.23.14 - Kubernetes kube-apiserver v1.22.16 These releases will be published over the course of today, November 10th. Detection Requests containing `..` in the request path are a likely indicator of exploitation. Request paths may be captured in API audit logs, or in kube-apiserver HTTP logs. If you find evidence that this vulnerability has been exploited, please contact security@...ernetes.io Additional Details See the GitHub issue for more details: https://github.com/kubernetes/kubernetes/issues/113756 Acknowledgements This vulnerability was reported by Richard Turnbull of NCC Group as part of the Kubernetes Audit. Thank You, Tim Allclair on behalf of the Kubernetes Security Response Committee
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.