openEuler 20.03 LTS SP3 update for kubernetes
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 5 |
| CVE-ID | CVE-2022-3162 CVE-2022-3294 CVE-2023-2431 CVE-2023-2727 CVE-2023-2728 |
| CWE-ID | CWE-284 CWE-20 CWE-264 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #5 is available. |
| Vulnerable software |
openEuler Operating systems & Components / Operating system kubernetes-help Operating systems & Components / Operating system package or component kubernetes-kubelet Operating systems & Components / Operating system package or component kubernetes-node Operating systems & Components / Operating system package or component kubernetes-master Operating systems & Components / Operating system package or component kubernetes-client Operating systems & Components / Operating system package or component kubernetes-kubeadm Operating systems & Components / Operating system package or component kubernetes Operating systems & Components / Operating system package or component |
| Vendor | openEuler |
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
1) Improper access control
EUVDB-ID: #VU71364
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-3162
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. Users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different kind in the same API group they are not authorized to read.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 20.03 LTS SP3
kubernetes-help: before 1.20.2-20
kubernetes-kubelet: before 1.20.2-20
kubernetes-node: before 1.20.2-20
kubernetes-master: before 1.20.2-20
kubernetes-client: before 1.20.2-20
kubernetes-kubeadm: before 1.20.2-20
kubernetes: before 1.20.2-20
CPE2.3- cpe:2.3:o:openeuler:openeuler:20.03:LTS SP3:*:*:*:*:*:*
- cpe:2.3:a:openeuler:kubernetes-help:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:kubernetes-kubelet:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:kubernetes-node:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:kubernetes-master:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:kubernetes-client:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:kubernetes-kubeadm:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:kubernetes:*:*:*:*:*:openeuler:*:*
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2023-1413
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU76474
Risk: Medium
CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-3294
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote user to execute arbitrary cod on the system.
The vulnerability exists due to users may have access to secure endpoints in the control plane network. A remote user can trigger the vulnerability and allow authenticated requests destined for Nodes to the API server's private network.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 20.03 LTS SP3
kubernetes-help: before 1.20.2-20
kubernetes-kubelet: before 1.20.2-20
kubernetes-node: before 1.20.2-20
kubernetes-master: before 1.20.2-20
kubernetes-client: before 1.20.2-20
kubernetes-kubeadm: before 1.20.2-20
kubernetes: before 1.20.2-20
CPE2.3- cpe:2.3:o:openeuler:openeuler:20.03:LTS SP3:*:*:*:*:*:*
- cpe:2.3:a:openeuler:kubernetes-help:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:kubernetes-kubelet:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:kubernetes-node:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:kubernetes-master:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:kubernetes-client:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:kubernetes-kubeadm:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:kubernetes:*:*:*:*:*:openeuler:*:*
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2023-1413
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU77775
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-2431
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists in Kubelet that allows pods to bypass the seccomp profile enforcement. Pods that use localhost type for seccomp profile but specify an empty profile field, are affected by this issue. In this scenario, this vulnerability allows the pod to run in unconfined (seccomp disabled) mode
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 20.03 LTS SP3
kubernetes-help: before 1.20.2-20
kubernetes-kubelet: before 1.20.2-20
kubernetes-node: before 1.20.2-20
kubernetes-master: before 1.20.2-20
kubernetes-client: before 1.20.2-20
kubernetes-kubeadm: before 1.20.2-20
kubernetes: before 1.20.2-20
CPE2.3- cpe:2.3:o:openeuler:openeuler:20.03:LTS SP3:*:*:*:*:*:*
- cpe:2.3:a:openeuler:kubernetes-help:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:kubernetes-kubelet:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:kubernetes-node:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:kubernetes-master:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:kubernetes-client:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:kubernetes-kubeadm:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:kubernetes:*:*:*:*:*:openeuler:*:*
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2023-1413
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU77525
Risk: Medium
CVSSv4.0: 6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-2727
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote user to bypass implemented security restrictions.
The vulnerability exists due to improperly imposed security restrictions. A remote user can launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers.
Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers.
Install updates from vendor's repository.
Vulnerable software versionsopenEuler: 20.03 LTS SP3
kubernetes-help: before 1.20.2-20
kubernetes-kubelet: before 1.20.2-20
kubernetes-node: before 1.20.2-20
kubernetes-master: before 1.20.2-20
kubernetes-client: before 1.20.2-20
kubernetes-kubeadm: before 1.20.2-20
kubernetes: before 1.20.2-20
CPE2.3- cpe:2.3:o:openeuler:openeuler:20.03:LTS SP3:*:*:*:*:*:*
- cpe:2.3:a:openeuler:kubernetes-help:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:kubernetes-kubelet:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:kubernetes-node:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:kubernetes-master:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:kubernetes-client:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:kubernetes-kubeadm:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:kubernetes:*:*:*:*:*:openeuler:*:*
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2023-1413
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU77526
Risk: Medium
CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2023-2728
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: Yes
DescriptionThe vulnerability allows a remote user to bypass implemented security restrictions.
The vulnerability exists due to improperly imposed security restrictions. A remote user can launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers.Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with ephemeral containers.
Install updates from vendor's repository.
Vulnerable software versionsopenEuler: 20.03 LTS SP3
kubernetes-help: before 1.20.2-20
kubernetes-kubelet: before 1.20.2-20
kubernetes-node: before 1.20.2-20
kubernetes-master: before 1.20.2-20
kubernetes-client: before 1.20.2-20
kubernetes-kubeadm: before 1.20.2-20
kubernetes: before 1.20.2-20
CPE2.3- cpe:2.3:o:openeuler:openeuler:20.03:LTS SP3:*:*:*:*:*:*
- cpe:2.3:a:openeuler:kubernetes-help:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:kubernetes-kubelet:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:kubernetes-node:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:kubernetes-master:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:kubernetes-client:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:kubernetes-kubeadm:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:kubernetes:*:*:*:*:*:openeuler:*:*
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2023-1413
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
