Back to bug 2136675
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Anten Skrabec | 2022-10-20 22:18:22 UTC | CC | security-response-team | |
| Anten Skrabec | 2022-10-20 22:18:58 UTC | CC | jburrell, vkumar | |
| RaTasha Tillery-Smith | 2022-10-21 11:43:48 UTC | Doc Text | A security issue was discovered in Kubernetes where users may have access to secure endpoints in the control plane network. Kubernetes clusters are only affected if an untrusted user can to modify Node objects and send requests proxying through them. Kubernetes supports node proxying, which allows clients of kube-apiserver to access endpoints of a Kubelet to establish connections to Pods, retrieve container logs, and more. While Kubernetes already validates the proxying address for Nodes, a bug in kube-apiserver made it possible to bypass this validation. Bypassing this validation could allow authenticated requests destined for Nodes to be redirected to the API Server through its private network. | A flaw was found in Kubernetes, where users may have access to secure endpoints in the control plane network. Kubernetes supports node proxying, which allows clients of kube-apiserver to access endpoints of a Kubelet to establish connections to Pods, retrieve container logs, and more. While Kubernetes already validates the proxying address for Nodes, a bug in the kube-apiserver made it possible to bypass this validation. Bypassing this validation allows authenticated requests destined for Nodes to redirect to the API Server through its private network. |
| Avinash Hanwate | 2022-10-31 09:23:26 UTC | Group | team ocp_embargoes | |
| Avinash Hanwate | 2022-11-11 03:44:12 UTC | Group | team ocp_embargoes, security, qe_staff | |
| Summary | EMBARGOED CVE-2022-3294 openshift: node address isn't always verified when proxying | CVE-2022-3294 openshift: node address isn't always verified when proxying | ||
| Deadline | 2022-11-09 | |||
| Avinash Hanwate | 2022-11-11 04:21:36 UTC | CC | joelsmith | |
| Avinash Hanwate | 2022-11-11 04:22:26 UTC | CC | jburrell, vkumar | |
| Avinash Hanwate | 2022-11-11 04:22:57 UTC | CC | joelsmith | |
| Avinash Hanwate | 2022-11-11 04:32:40 UTC | Summary | CVE-2022-3294 openshift: node address isn't always verified when proxying | CVE-2022-3294 kubernetes: node address isn't always verified when proxying |
| Avinash Hanwate | 2022-11-11 04:38:12 UTC | Fixed In Version | Kubernetes kube-apiserver 1.25.4, Kubernetes kube-apiserver 1.24.8, Kubernetes kube-apiserver 1.23.14, Kubernetes kube-apiserver 1.22.16 | |
| Avinash Hanwate | 2022-11-11 11:02:22 UTC | Depends On | 2141991, 2141990 | |
| Doug Hellmann | 2022-11-11 12:14:22 UTC | CC | dhellmann | |
| Doc Type | --- | If docs needed, set a value | ||
| RaTasha Tillery-Smith | 2022-11-11 14:51:43 UTC | CC | jburrell, vkumar | |
| Red Hat Bugzilla | 2023-07-07 08:35:22 UTC | CC | security-response-team | |
| Assignee | security-response-team | nobody |
Back to bug 2136675