Help Center/ Cloud Container Engine/ User Guide (Paris Regions)/ Product Bulletin/ Vulnerability Notice/ Notice on the Kubernetes Security Vulnerability (CVE-2022-3172)
Updated on 2024-01-26 GMT+08:00

Notice on the Kubernetes Security Vulnerability (CVE-2022-3172)

Recently, the Kubernetes community detected a security issue in kube-apiserver. This issue allows the aggregated API server to redirect client traffic to any URL, which may cause the client to perform unexpected operations and forward the client's API server credentials to a third party.

Vulnerability Details

Table 1 Vulnerability information

Vulnerability Type

CVE-ID

Discovered

SSRF

CVE-2022-3172

2022-09-09

Threat Severity

Medium

Impact Scope

Affected versions:

  • kube-apiserver <= v1.23.10

CCE clusters of the preceding versions configured with the aggregated API server will be affected, especially for CCE clusters with logical multi-tenancy.

Identification Method

For CCE clusters and CCE Turbo clusters of version 1.23 or earlier, use kubectl to connect to the cluster. Run the following command to check whether the aggregated API server is running:

kubectl get apiservices.apiregistration.k8s.io -o=jsonpath='{range .items[?(@.spec.service)]}{.metadata.name}{"\n"}{end}'

If the returned value is not empty, the aggregated API server exists.

Preventive Measures

Upgrades are the currently available solution. The cluster administrator must control permissions to prevent untrusted personnel from deploying and controlling the aggregated API server through the API service interface. A fixed version will be provided soon. Please follow the official announcement.