New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2022-3162: Unauthorized read of Custom Resources #113756
Comments
|
Fix PRs: |
|
Do I understand it correctly that it's only get/list that can be done? |
|
@NissesSenap correct, as far as we can tell, the exploit is read-only. However, I think it only works for list & watch requests, not get. |
|
Does this CVE exist in version 1.20.x ? |
|
Hi, What steps are to reproduce this CVE? I have two namespaced CRDs My user sends a request to list objects |
|
@pparshin I am also having trouble trying to reproduce this bug. Did you ever figure it out? |
|
@mrintern not yet, unfortunately. I've tried a lot of request variations but without success |
|
My user has permissions to both two types,but I still can't successfully list the crd objects using '..' . I guess this bug can't be exploited beacuse the url parameters is parsed correctly and the '../' or '/..' can't be included in the 'key'. kubernetes/staging/src/k8s.io/apiserver/pkg/storage/etcd3/store.go Lines 568 to 572 in 7061704
prepareKey method is used to address the problem. kubernetes/staging/src/k8s.io/apiserver/pkg/storage/etcd3/store.go Lines 964 to 986 in 7061704
@tallclair @mrintern @pparshin |
|
In the following parts,we can find the URL parts after subresource aren't interpreted.So we use '/../' in the URL it won't work. kubernetes/staging/src/k8s.io/apiserver/pkg/endpoints/request/requestinfo.go Lines 197 to 207 in 7061704
|
|
Dear All, |
|
Dear All, |
|
I referenced the code in the commit f1693a0 to verify that the prepareKey() is used to address the problem of '/../' in the path. |
|
Thanks for the clarification
On Wed, Nov 30, 2022 at 1:54 PM yangyong ***@***.***> wrote:
I referenced the code in the commit f1693a0
<f1693a0>
to verify that the prepareKey() is used to address the problem of '/../' in
the path.
But according to other parts of Kubernetes,the path parts can't contain
'/../'. So I think this bug can't be exploited and this commit maybe
useless.Even if the prepareKey() method isn't used,the bug can't be
exploited.
@mrintern <https://github.com/mrintern>
—
Reply to this email directly, view it on GitHub
<#113756 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AF2TYNG2MPAQ64JAA6WNLV3WK5MATANCNFSM6AAAAAAR2YTM3E>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
--
Nick
|
|
@HeYuqiu @singvey999 Yes, all versions of Kubernetes prior to the patched versions are affected, meaning all versions <= v1.21 |
|
@yy158775 This is a real issue. We were able to reproduce it before the patch, and confirmed that all known exploits are mitigated by this patch. The Security Response Committee does not usually provide full reproduction steps for vulnerabilities, but I'll follow up with the committee to see whether we want to provide more details in this case. |
|
@tallclair Thanks for your help. Could you please share the detailed steps to reproduce this issue ? As we only have the jump server to connect to k8s cluster with tls certs and that is the admin user account which has the cluster admin role . By the way, will this issue point to the k8s service account also , or only to the k8s user accounts with tls cert ? |
CVSS Rating: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
A security issue was discovered in Kubernetes where users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group without authorization.
Am I vulnerable?
Clusters are impacted by this vulnerability if all of the following are true:
Affected Versions
How do I mitigate this vulnerability?
Upgrading the kube-apiserver to a fixed version mitigates this vulnerability.
Prior to upgrading, this vulnerability can be mitigated by avoiding granting cluster-wide list and watch permissions.
Fixed Versions
Detection
Requests containing
..in the request path are a likely indicator of exploitation. Request paths may be captured in API audit logs, or in kube-apiserver HTTP logs.If you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io
Acknowledgements
This vulnerability was reported by Richard Turnbull of NCC Group as part of the Kubernetes Audit.
/area security
/kind bug
/committee security-response
/label official-cve-feed
/sig api-machinery
/area apiserver
The text was updated successfully, but these errors were encountered: