The Kubernetes community recently discovered vulnerability CVE-2022-3162. Users who have the permissions to list or watch a type of namespaced custom resource in the cluster can read a different type of custom resource in the same API group without authorization.

CVE-2022-3162 is rated as medium severity. The Common Vulnerability Scoring System (CVSS) score of this vulnerability is 6.5.

Affected versions

The following kube-apiserver versions are affected:

  • V1.25.0 to V1.25.3
  • V1.24.0 to V1.24.7
  • V1.23.0 to V1.23.13
  • V1.22.0 to V1.22.15
  • ≤ V1.21

This vulnerability is fixed in the following kube-apiserver versions:

  • V1.25.4
  • V1.24.8
  • V1.23.14
  • V1.22.16

For more information about the vulnerability, see #113756.

Impacts

If your cluster meets the following conditions, your cluster is affected by this vulnerability:

  • The cluster contains two or more CustomResourceDefinitions (CRDs) that share the same API group.
  • A user is authorized to list or watch the custom resources that are defined by one of the CRDs but is not authorized to read the custom resources that are defined by other CRDs.

Mitigation

  1. Make sure that only trusted users have the role-based access control (RBAC) permissions to list or watch custom resources in the cluster.
  2. Check the audit log of the Kubernetes API server of your cluster. If a request path includes .., attackers may have exploited this vulnerability in your cluster.
  3. You can take note of the release notes of Container Service for Kubernetes (ACK) and update your cluster to fix this vulnerability at the earliest opportunity. For more information about how to update ACK clusters, see Update the Kubernetes version of an ACK cluster.