Bug 2136675 (CVE-2022-3294) - CVE-2022-3294 kubernetes: node address isn't always verified when proxying
Summary: CVE-2022-3294 kubernetes: node address isn't always verified when proxying
Keywords:
Status: NEW
Alias: CVE-2022-3294
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2141990 2141991
Blocks: 2134975
TreeView+ depends on / blocked
 
Reported: 2022-10-20 22:18 UTC by Anten Skrabec
Modified: 2024-03-19 18:25 UTC (History)
4 users (show)

Fixed In Version: Kubernetes kube-apiserver 1.25.4, Kubernetes kube-apiserver 1.24.8, Kubernetes kube-apiserver 1.23.14, Kubernetes kube-apiserver 1.22.16
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Kubernetes, where users may have access to secure endpoints in the control plane network. Kubernetes supports node proxying, which allows clients of kube-apiserver to access endpoints of a Kubelet to establish connections to Pods, retrieve container logs, and more. While Kubernetes already validates the proxying address for Nodes, a bug in the kube-apiserver made it possible to bypass this validation. Bypassing this validation allows authenticated requests destined for Nodes to redirect to the API Server through its private network.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Anten Skrabec 2022-10-20 22:18:22 UTC 
A security issue was discovered in Kubernetes where users may have access
to secure endpoints in the control plane network. Kubernetes clusters are
only affected if an untrusted user can to modify Node objects and send
requests proxying through them.
Comment 3 Avinash Hanwate 2022-11-11 11:02:27 UTC 
Created golang-k8s-kubernetes tracking bugs for this issue:

Affects: fedora-all [bug 2141991]


Created origin tracking bugs for this issue:

Affects: fedora-all [bug 2141990]
Note You need to log in before you can comment on or make changes to this bug.