[Security Advisory] CVE-2022-3162: Unauthorized read of Custom Resources

655 views
Skip to first unread message

Tim Allclair

unread,
Nov 10, 2022, 12:14:08 PM11/10/22
to kubernetes-announce, d...@kubernetes.io, kubernetes-sec...@googlegroups.com, kubernetes-security-discuss, distributo...@kubernetes.io, kubernetes+a...@discoursemail.com

Hello Kubernetes Community,

A security issue was discovered in Kubernetes where users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group without authorization.

This issue has been rated Medium (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N), and assigned CVE-2022-3162

Am I vulnerable?

Clusters are impacted by this vulnerability if all of the following are true:

  1. There are 2+ CustomResourceDefinitions sharing the same API group

  2. Users have cluster-wide list or watch authorization on one of those custom resources.

  3. The same users are not authorized to read another custom resource in the same API group.

Affected Versions

  • Kubernetes kube-apiserver <= v1.25.3

  • Kubernetes kube-apiserver <= v1.24.7

  • Kubernetes kube-apiserver <= v1.23.13

  • Kubernetes kube-apiserver <= v1.22.15

How do I mitigate this vulnerability?

Upgrading the kube-apiserver to a fixed version mitigates this vulnerability.

Prior to upgrading, this vulnerability can be mitigated by avoiding granting cluster-wide list and watch permissions.

Fixed Versions

  • Kubernetes kube-apiserver v1.25.4

  • Kubernetes kube-apiserver v1.24.8

  • Kubernetes kube-apiserver v1.23.14

  • Kubernetes kube-apiserver v1.22.16

These releases will be published over the course of today, November 10th.

Detection

Requests containing `..` in the request path are a likely indicator of exploitation. Request paths may be captured in API audit logs, or in kube-apiserver HTTP logs.

If you find evidence that this vulnerability has been exploited, please contact secu...@kubernetes.io

Additional Details

See the GitHub issue for more details: https://github.com/kubernetes/kubernetes/issues/113756

Acknowledgements

This vulnerability was reported by Richard Turnbull of NCC Group as part of the Kubernetes Audit.

Thank You,

Tim Allclair on behalf of the Kubernetes Security Response Committee


Reply all
Reply to author
Forward
0 new messages