CVE-2022-3162 is a recently discovered vulnerability affecting Kubernetes clusters. It can result in unauthorized access to custom resources in the same API group, potentially leading to data leakages and security risks. In this long-read post, we'll explore the details of this vulnerability, provide code snippets that demonstrate the issue, and offer helpful tips to safeguard your cluster.
Users who can list or watch a specific type of namespaced custom resource cluster-wide might access custom resources of another type within the same API group without proper authorization. To be impacted by this vulnerability, your cluster must meet all of the following conditions:
Users are NOT authorized to read another custom resource in the same API group.
Here's an example of how this vulnerability can be exploited. Let's assume we have two CustomResourceDefinitions (CRD) in the same API group called "my_api_group":
CRD YAML example
apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: crd1_my_resource.my_api_group spec: group: my_api_group versions: - name: v1 served: true storage: true names: kind: Crd1MyResource plural: crd1_my_resource scope: Namespaced
Suppose a user has permission to list or watch "crd1_my_resource" cluster-wide
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: list-watch-crd1 rules: - apiGroups: ["my_api_group"] resources: ["crd1_my_resource"] verbs: ["list", "watch"]
This user is not authorized to read "crd2_another_resource." However, due to CVE-2022-3162, they can still access it without proper authorization.
To mitigate this vulnerability, there are several steps you can take
1. Upgrade your Kubernetes clusters: Update your cluster to a version containing the patch for CVE-2022-3162. The following versions include the required fix:
2. Restrict RBAC permissions: Limit the permissions granted to users in the cluster, following the principle of least privilege. Ensure users only have the access required for their role, and avoid providing cluster-wide permission without proper checks.
To learn more about this vulnerability, refer to the original references below
1. Kubernetes Security Announcement: https://github.com/kubernetes/kubernetes/issues/106589
2. CVE-2022-3162 - NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-3162
CVE-2022-3162 is a significant security vulnerability with the potential to grant unauthorized access to specific custom resources in Kubernetes clusters. By understanding its intricacies and implementing robust security practices, you can mitigate and prevent unauthorized access to your cluster. Be sure to keep your cluster up-to-date and pay attention to the configuration of your CustomResourceDefinitions.
Published on: 03/01/2023 19:15:00 UTC
Last modified on: 05/11/2023 15:15:00 UTC