CVE-2022-3294 - Container Service for Kubernetes - Alibaba Cloud Documentation Center

The Kubernetes community recently discovered vulnerability CVE-2022-3294. Attackers can modify Node objects and send proxy requests to the Node objects, and then exploit this vulnerability to bypass the proxy address validation performed by kube-apiserver for Node objects. This way, attackers can access endpoints in the internal network of kube-apiserver.

CVE-2022-3294 is rated as medium severity. The Common Vulnerability Scoring System (CVSS) score of this vulnerability is 6.6.

Affected versions

The following kube-apiserver versions are affected:

v1.25.0~v1.25.3
v1.24.0~v1.24.7
v1.23.0~v1.23.13
v1.22.0~v1.22.15
≤ V1.21

This vulnerability is fixed in the following kube-apiserver versions:

v1.25.4
v1.24.8
v1.23.14
v1.22.16

For more information about the vulnerability, see #113757.

Impacts

Kubernetes supports node proxying, which allows clients of kube-apiserver to access endpoints of a kubelet to establish connections to pods and retrieve container logs. If an untrusted user is granted the role-based access control (RBAC) permissions to create and modify Node objects, and send proxy requests to Node objects, the untrusted user can exploit this vulnerability to bypass the proxy address validation performed by kube-apiserver for Node objects. This way, the untrusted user can send a proxy request to a node to access endpoints in the internal network of kube-apiserver.

If an unauthorized user can access endpoints in the internal network of kube-apiserver, your cluster is affected by this vulnerability. The following endpoints are included:

Endpoints in the separate network used by kube-apiserver and worker nodes.
Endpoints of localhost services.

mTLS services that accept the same client certificate as nodes are affected. The severity of the impact depends on the privileges and sensitivity of the exploitable endpoints.

Mitigation

Do not grant untrusted users the RBAC permissions to manage Node objects in your cluster.
If the audit logs of your cluster include Node creation or modification requests that are sent to unauthorized IP addresses, or proxy requests that are sent to nodes, your cluster is affected.
You can take note of the release notes of Container Service for Kubernetes (ACK) and update your cluster to fix this vulnerability at the earliest opportunity. For more information about how to update ACK clusters, see Update the Kubernetes version of an ACK cluster.