Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CALXpagykvZnnXHHPk6DP6O_qX5O=TBQK6_j-vO5ZFot5HY1NsQ@mail.gmail.com>
Date: Thu, 10 Nov 2022 09:25:36 -0800
From: Tim Allclair <timallclair@...il.com>
To: oss-security@...ts.openwall.com
Subject: [kubernetes] CVE-2022-3162: Unauthorized read of Custom Resources

Hello Kubernetes Community,

A security issue was discovered in Kubernetes where users authorized to
list or watch one type of namespaced custom resource cluster-wide can read
custom resources of a different type in the same API group without
authorization.

This issue has been rated Medium (
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N>),
and assigned CVE-2022-3162
Am I vulnerable?

Clusters are impacted by this vulnerability if all of the following are
true:

   1.

   There are 2+ CustomResourceDefinitions sharing the same API group
   2.

   Users have cluster-wide list or watch authorization on one of those
   custom resources.
   3.

   The same users are not authorized to read another custom resource in the
   same API group.

Affected Versions

   -

   Kubernetes kube-apiserver <= v1.25.3
   -

   Kubernetes kube-apiserver <= v1.24.7
   -

   Kubernetes kube-apiserver <= v1.23.13
   -

   Kubernetes kube-apiserver <= v1.22.15

How do I mitigate this vulnerability?

Upgrading the kube-apiserver to a fixed version mitigates this
vulnerability.

Prior to upgrading, this vulnerability can be mitigated by avoiding
granting cluster-wide list and watch permissions.
Fixed Versions

   -

   Kubernetes kube-apiserver v1.25.4
   -

   Kubernetes kube-apiserver v1.24.8
   -

   Kubernetes kube-apiserver v1.23.14
   -

   Kubernetes kube-apiserver v1.22.16

These releases will be published over the course of today, November 10th.
Detection

Requests containing `..` in the request path are a likely indicator of
exploitation. Request paths may be captured in API audit logs, or in
kube-apiserver HTTP logs.

If you find evidence that this vulnerability has been exploited, please
contact security@...ernetes.io
Additional Details

See the GitHub issue for more details:
https://github.com/kubernetes/kubernetes/issues/113756
Acknowledgements

This vulnerability was reported by Richard Turnbull of NCC Group as part of
the Kubernetes Audit.

Thank You,

Tim Allclair on behalf of the Kubernetes Security Response Committee

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.