Notice on the Kubernetes Security Vulnerability (CVE-2022-3172)
Recently, the Kubernetes community detected a security issue in kube-apiserver. This issue allows the aggregated API server to redirect client traffic to any URL, which may cause the client to perform unexpected operations and forward the client's API server credentials to a third party.
Vulnerability Details
Vulnerability Type |
CVE-ID |
Discovered |
|---|---|---|
SSRF |
2022-09-09 |
Threat Severity
Medium
Impact Scope
Affected versions:
- kube-apiserver <= v1.23.10
CCE clusters of the preceding versions configured with the aggregated API server will be affected, especially for CCE clusters with logical multi-tenancy.
Identification Method
For CCE clusters and CCE Turbo clusters of version 1.23 or earlier, use kubectl to connect to the cluster. Run the following command to check whether the aggregated API server is running:
kubectl get apiservices.apiregistration.k8s.io -o=jsonpath='{range .items[?(@.spec.service)]}{.metadata.name}{"\n"}{end}'
If the returned value is not empty, the aggregated API server exists.
Preventive Measures
Upgrades are the currently available solution. The cluster administrator must control permissions to prevent untrusted personnel from deploying and controlling the aggregated API server through the API service interface. A fixed version will be provided soon. Please follow the official announcement.
Helpful Links
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
