Help Center/ Cloud Container Engine/ Product Bulletin/ Vulnerability Notices/ Notice on the Kubernetes Security Vulnerability (CVE-2022-3172)
Updated on 2023-08-02 GMT+08:00

Notice on the Kubernetes Security Vulnerability (CVE-2022-3172)

Description

Kubernetes community detected a security issue in kube-apiserver. This issue allows the aggregated API server to redirect client traffic to any URL, which may cause the client to perform unexpected operations and forward the client's API server credentials to a third party.

Table 1 Vulnerability information

Type

CVE-ID

Severity

Discovered

SSRF

CVE-2022-3172

Medium

2022-09-09

Impact

Affected versions:

  • kube-apiserver ≤ v1.23.10

CCE clusters of the preceding versions configured with the aggregated API server will be affected, especially for CCE clusters with logical multi-tenancy.

Identification Method

For CCE clusters and CCE Turbo clusters of version 1.23 or earlier, use web-terminal or kubectl to connect to the clusters. Run the following command to check whether the aggregated API server is running:

kubectl get apiservices.apiregistration.k8s.io -o=jsonpath='{range .items[?(@.spec.service)]}{.metadata.name}{"\n"}{end}'

If the returned value is not empty, the aggregated API server exists.

Solution

Upgrades are the currently available solution. The cluster administrator must control permissions to prevent untrusted personnel from deploying and controlling the aggregated API server through the API service interface.

This vulnerability has been fixed in CCE clusters of v1.23.5-r0, v1.21.7-r0, and v1.19.16-r4.