2211322 – (CVE-2023-2727) CVE-2023-2727 kube-apiserver: Bypassing policies imposed by the ImagePolicyWebhook admission plugin

Bug 2211322 (CVE-2023-2727) - CVE-2023-2727 kube-apiserver: Bypassing policies imposed by the ImagePolicyWebhook admission plugin

Summary: CVE-2023-2727 kube-apiserver: Bypassing policies imposed by the ImagePolicyWe...

Keywords:
Status:	NEW
Alias:	CVE-2023-2727
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2215200 2215202
Blocks:	2209134
TreeView+	depends on / blocked

Reported:	2023-05-31 06:02 UTC by Avinash Hanwate
Modified:	2024-04-15 09:52 UTC (History)
CC List:	7 users (show)
Fixed In Version:	kube-apiserver 1.27.3, kube-apiserver 1.26.6, kube-apiserver 1.25.11, kube-apiserver 1.24.15
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Kubernetes, where users may be able to launch containers using images restricted by the ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2023:5008	0	None	None	None	2023-10-31 14:20:06 UTC

Description Avinash Hanwate 2023-05-31 06:02:16 UTC

A security issue was discovered in Kubernetes where users may be able to launch containers using images that are restricted by ImagePolicyWebhook 
when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral 
containers.

This issue affects kube-apiserver. Clusters are impacted by this vulnerability if:
   1. The ImagePolicyWebhook admission plugin is used to restrict the use of certain images and 
   2. Pods using ephemeral containers.

Comment 3 Avinash Hanwate 2023-06-15 05:43:50 UTC

Created golang-k8s-kubernetes tracking bugs for this issue:

Affects: fedora-all [bug 2215200]


Created origin tracking bugs for this issue:

Affects: fedora-all [bug 2215202]

Comment 6 errata-xmlrpc 2023-10-31 14:20:05 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:5008 https://access.redhat.com/errata/RHSA-2023:5008

Note You need to log in before you can comment on or make changes to this bug.