Notice on the Kubernetes Security Vulnerability (CVE-2022-3172)
Description
Kubernetes community detected a security issue in kube-apiserver. This issue allows the aggregated API server to redirect client traffic to any URL, which may cause the client to perform unexpected operations and forward the client's API server credentials to a third party.
Type |
CVE-ID |
Severity |
Discovered |
---|---|---|---|
SSRF |
Medium |
2022-09-09 |
Impact
Affected versions:
- kube-apiserver ≤ v1.23.10
CCE clusters of the preceding versions configured with the aggregated API server will be affected, especially for CCE clusters with logical multi-tenancy.
Identification Method
For CCE clusters and CCE Turbo clusters of version 1.23 or earlier, kubectl to connect to the clusters. Run the following command to check whether the aggregated API server is running:
kubectl get apiservices.apiregistration.k8s.io -o=jsonpath='{range .items[?(@.spec.service)]}{.metadata.name}{"\n"}{end}'
If the returned value is not empty, the aggregated API server exists.
Solution
Upgrades are the currently available solution. The cluster administrator must control permissions to prevent untrusted personnel from deploying and controlling the aggregated API server through the API service interface.
This vulnerability has been fixed in CCE clusters of v1.23.5-r0, v1.21.7-r0, and v1.19.16-r4.
Helpful Links
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.