Container Service for Kubernetes:Vulnerabilities CVE-2023-2727 and CVE-2023-2728

• CVE-2023-2727: Attackers can exploit the vulnerability in the ImagePolicyWebhook admission plug-in to launch containers that bypass image security policies imposed by the admission plug-in when they use ephemeral containers. CVE-2023-2727 is rated as medium severity and its Common Vulnerability Scoring System (CVSS) score is 6.5.

• CVE-2023-2728: Attackers can exploit the vulnerability in the ServiceAccount admission plug-in to launch containers that bypass the enforce mountable secrets policy imposed by the admission plug-in when they use ephemeral containers. The attackers can then retrieve Secrets that they are unauthorized to reference in the ephemeral containers. CVE-2023-2728 is rated as medium severity and its CVSS score is 6.5.

Affected versions

The vulnerabilities affect the following kube-apiserver versions:

• v1.27.0 to v1.27.2

• v1.26.0 to v1.26.5

• v1.25.0 to v1.25.10

• ≤ v1.24.14

These vulnerabilities are fixed in the following kube-apiserver versions:

• v1.27.3

• v1.26.6

• v1.25.11

• v1.24.15

Solution

You can use the following methods to mitigate the impact of the vulnerabilities:

• We recommend that you use the ACKAllowedRepos and ACKNoEnvVarSecrets security policies provided by Container Service for Kubernetes (ACK) to replace the ImagePolicyWebhook and ServiceAccount admission plug-ins. These security policies can guarantee the same security level as the admission plug-ins. For more information about security policies, see Configure and enforce ACK pod security policies.

• Monitor and analyze the audit logs of the API server to identify suspicious ephemeral containers at the earliest opportunity.