[CVE-2022-3172][Kubernetes upstream] Aggregated API server can cause clients to be redirected (SSRF) #38994

macedogm · 2022-09-19T09:03:29Z

This issue is to track upstream CVE-2022-3172 in Kubernetes affecting the API server

Original upstream issue kubernetes/kubernetes#112513.

A security issue was discovered in kube-apiserver that allows an aggregated API server to redirect client traffic to any URL. This could lead to the client performing unexpected actions as well as forwarding the client's API server credentials to third parties.

This issue has been rated medium and assigned CVE-2022-3172.

CVSS Rating: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L (5.1, medium)

Am I vulnerable?

All Kubernetes clusters with the following versions that are running aggregated API servers are impacted. To identify if you have aggregated API servers configured, run the following command:

kubectl get apiservices.apiregistration.k8s.io -o=jsonpath='{range .items[?(@.spec.service)]}{.metadata.name}{"\n"}{end}'

Affected Versions

Upstream Kubernetes	RKE	RKE2	K3s
kube-apiserver v1.21	<= v1.21.14-rancher1-1	<= v1.21.14+rke2r1	<= v1.21.14+k3s1
kube-apiserver v1.22.0 - v1.22.13	<= v1.22.13-rancher1-1	<= v1.22.13+rke2r1	<= v1.22.13+k3s1
kube-apiserver v1.23.0 - v1.23.10	<= v1.23.10-rancher1-1	<= v1.23.10+rke2r1	<= v1.23.10+k3s1
kube-apiserver v1.24.0 - v1.24.4	<= v1.24.4-rancher1-1	<= v1.24.4+rke2r1	<= v1.24.4+k3s1
kube-apiserver v1.25.0	Not available	v1.25.0+rke2r1²	v1.25.0+k3s1²

There are no known mitigations to this vulnerability.

Fixed Versions

Upstream Kubernetes	RKE	RKE2	K3s
kubelet v1.22.14	>= v1.22.15-rancher1-1	>= v1.22.15+rke2r2	>= v1.22.15+k3s1
kubelet v1.23.11	>= v1.23.12-rancher1-1	>= v1.23.13+rke2r1	>= v1.23.13+k3s1
kubelet v1.24.5	>= v1.24.6-rancher1-1	>= v1.24.7+rke2r1	>= v1.24.7+k3s1
kubelet v1.25.0	Not available	v1.25.0+rke2r1²	>= v1.25.0+k3s1²

Toggle commit message |

¹ Not available in Rancher >= v2.6.9 and >= v2.7.0 yet.
² Not supported in Rancher.

The text was updated successfully, but these errors were encountered:

macedogm · 2022-11-21T12:40:56Z

Closing this issue, as the fixed versions of RKE, RKE2 and K3s are already available in Rancher >= v2.6.9 and >= v2.7.0.

macedogm added area/kubernetes area/security area/k3s area/rke2 RKE2-related Issues team/hostbusters The team that is responsible for provisioning/managing downstream clusters + K8s version support team/rke2 labels Sep 19, 2022

macedogm assigned cwayne18, snasovich and Sahota1225 Sep 19, 2022

bk201 mentioned this issue Sep 20, 2022

[FEATURE] Bump RKE2 to 1.24.x harvester/harvester#2785

Closed

macedogm mentioned this issue Sep 22, 2022

[CVE-2021-25749][Kubernetes upstream] runAsNonRoot logic bypass for Windows containers #38949

Closed

macedogm closed this as completed Nov 21, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[CVE-2022-3172][Kubernetes upstream] Aggregated API server can cause clients to be redirected (SSRF) #38994

[CVE-2022-3172][Kubernetes upstream] Aggregated API server can cause clients to be redirected (SSRF) #38994

macedogm commented Sep 19, 2022 •

edited

macedogm commented Nov 21, 2022 •

edited

[CVE-2022-3172][Kubernetes upstream] Aggregated API server can cause clients to be redirected (SSRF) #38994

[CVE-2022-3172][Kubernetes upstream] Aggregated API server can cause clients to be redirected (SSRF) #38994

Comments

macedogm commented Sep 19, 2022 • edited

macedogm commented Nov 21, 2022 • edited

macedogm commented Sep 19, 2022 •

edited

macedogm commented Nov 21, 2022 •

edited