OpenCVE

Users may have access to secure endpoints in the control plane network. Kubernetes clusters are only affected if an untrusted user can modify Node objects and send proxy requests to them. Kubernetes supports node proxying, which allows clients of kube-apiserver to access endpoints of a Kubelet to establish connections to Pods, retrieve container logs, and more. While Kubernetes already validates the proxying address for Nodes, a bug in kube-apiserver made it possible to bypass this validation. Bypassing this validation could allow authenticated requests destined for Nodes to to the API server's private network.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Kubernetes	Kubernetes
Redhat	Openshift

Configuration 1 [-]

OR	cpe:2.3:a:kubernetes:kubernetes::::::::
	cpe:2.3:a:kubernetes:kubernetes::::::::
	cpe:2.3:a:kubernetes:kubernetes::::::::
	cpe:2.3:a:kubernetes:kubernetes::::::::

Package	CPE	Advisory	Released Date
Red Hat OpenShift Container Platform 4.12
microshift-0:4.12.1-202301261525.p0.g3db9e81.assembly.4.12.1.el8	cpe:/a:redhat:openshift:4.12::el8	RHBA-2023:0452	2023-01-30T00:00:00Z

References

Link	Providers
https://github.com/kubernetes/kubernetes/issues/113757
https://groups.google.com/g/kubernetes-security-announce/c/VyPOxF7CIbA
https://nvd.nist.gov/vuln/detail/CVE-2022-3294
https://security.netapp.com/advisory/ntap-20230505-0007/
https://www.cve.org/CVERecord?id=CVE-2022-3294

History

No history.

MITRE

Status: PUBLISHED

Assigner: kubernetes

Published: 2023-03-01T00:00:00

Updated: 2024-08-03T01:07:05.856Z

Reserved: 2022-09-23T00:00:00

Link: CVE-2022-3294

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-03-01T19:15:25.570

Modified: 2023-05-05T20:15:09.607

Link: CVE-2022-3294

Redhat

Severity : Moderate

Publid Date: 2022-11-10T17:00:00Z

Links: CVE-2022-3294 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-3294", "assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565", "assignerShortName": "kubernetes", "dateUpdated": "2024-08-03T01:07:05.856Z", "dateReserved": "2022-09-23T00:00:00", "datePublished": "2023-03-01T00:00:00"}, "containers": {"cna": {"title": "Node address isn't always verified when proxying", "datePublic": "2022-11-10T00:00:00", "providerMetadata": {"orgId": "a6081bf6-c852-4425-ad4f-a67919267565", "shortName": "kubernetes", "dateUpdated": "2023-05-05T00:00:00"}, "descriptions": [{"lang": "en", "value": "Users may have access to secure endpoints in the control plane network. Kubernetes clusters are only affected if an untrusted user can modify Node objects and send proxy requests to them. Kubernetes supports node proxying, which allows clients of kube-apiserver to access endpoints of a Kubelet to establish connections to Pods, retrieve container logs, and more. While Kubernetes already validates the proxying address for Nodes, a bug in kube-apiserver made it possible to bypass this validation. Bypassing this validation could allow authenticated requests destined for Nodes to to the API server's private network."}], "affected": [{"vendor": "Kubernetes", "product": "Kubernetes", "versions": [{"version": "unspecified", "lessThanOrEqual": "v1.25.3", "status": "affected", "versionType": "custom"}, {"version": "unspecified", "lessThanOrEqual": "v1.24.7", "status": "affected", "versionType": "custom"}, {"version": "unspecified", "lessThanOrEqual": "v1.23.13", "status": "affected", "versionType": "custom"}, {"version": "unspecified", "lessThanOrEqual": "v1.22.15", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://groups.google.com/g/kubernetes-security-announce/c/VyPOxF7CIbA"}, {"url": "https://github.com/kubernetes/kubernetes/issues/113757"}, {"url": "https://security.netapp.com/advisory/ntap-20230505-0007/"}], "credits": [{"lang": "en", "value": "Yuval Avrahami of Palo Alto Networks"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-20 Improper Input Validation", "cweId": "CWE-20"}]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "source": {"defect": ["https://github.com/kubernetes/kubernetes/issues/113757"], "discovery": "EXTERNAL"}, "workarounds": [{"lang": "en", "value": "Configuring an egress proxy for egress to the cluster network can mitigate this vulnerability"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T01:07:05.856Z"}, "title": "CVE Program Container", "references": [{"url": "https://groups.google.com/g/kubernetes-security-announce/c/VyPOxF7CIbA", "tags": ["x_transferred"]}, {"url": "https://github.com/kubernetes/kubernetes/issues/113757", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20230505-0007/", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*", "matchCriteriaId": "38E275C4-8711-435F-85D8-073116D467CF", "versionEndExcluding": "1.22.16", "vulnerable": true}, {"criteria": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*", "matchCriteriaId": "16AF218C-A7AD-4A8A-9F97-A89D1ADC6C67", "versionEndExcluding": "1.23.14", "versionStartIncluding": "1.23.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*", "matchCriteriaId": "FD71BF6D-ABA3-4974-856B-10B9450C741F", "versionEndExcluding": "1.24.8", "versionStartIncluding": "1.24.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*", "matchCriteriaId": "105810A5-2E62-441A-B07B-9F8A0E774712", "versionEndExcluding": "1.25.4", "versionStartIncluding": "1.25.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Users may have access to secure endpoints in the control plane network. Kubernetes clusters are only affected if an untrusted user can modify Node objects and send proxy requests to them. Kubernetes supports node proxying, which allows clients of kube-apiserver to access endpoints of a Kubelet to establish connections to Pods, retrieve container logs, and more. While Kubernetes already validates the proxying address for Nodes, a bug in kube-apiserver made it possible to bypass this validation. Bypassing this validation could allow authenticated requests destined for Nodes to to the API server's private network."}], "id": "CVE-2022-3294", "lastModified": "2023-05-05T20:15:09.607", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 5.9, "source": "jordan@liggitt.net", "type": "Secondary"}]}, "published": "2023-03-01T19:15:25.570", "references": [{"source": "jordan@liggitt.net", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/kubernetes/kubernetes/issues/113757"}, {"source": "jordan@liggitt.net", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://groups.google.com/g/kubernetes-security-announce/c/VyPOxF7CIbA"}, {"source": "jordan@liggitt.net", "url": "https://security.netapp.com/advisory/ntap-20230505-0007/"}], "sourceIdentifier": "jordan@liggitt.net", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "jordan@liggitt.net", "type": "Secondary"}]}

{"acknowledgement": "Upstream acknowledges Kubernetes Security Response Committee as the original reporter.", "affected_release": [{"advisory": "RHBA-2023:0452", "cpe": "cpe:/a:redhat:openshift:4.12::el8", "package": "microshift-0:4.12.1-202301261525.p0.g3db9e81.assembly.4.12.1.el8", "product_name": "Red Hat OpenShift Container Platform 4.12", "release_date": "2023-01-30T00:00:00Z"}], "bugzilla": {"description": "kubernetes: node address isn't always verified when proxying", "id": "2136675", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136675"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-288", "details": ["Users may have access to secure endpoints in the control plane network. Kubernetes clusters are only affected if an untrusted user can modify Node objects and send proxy requests to them. Kubernetes supports node proxying, which allows clients of kube-apiserver to access endpoints of a Kubelet to establish connections to Pods, retrieve container logs, and more. While Kubernetes already validates the proxying address for Nodes, a bug in kube-apiserver made it possible to bypass this validation. Bypassing this validation could allow authenticated requests destined for Nodes to to the API server's private network.", "A flaw was found in Kubernetes, where users may have access to secure endpoints in the control plane network. Kubernetes supports node proxying, which allows clients of kube-apiserver to access endpoints of a Kubelet to establish connections to Pods, retrieve container logs, and more. While Kubernetes already validates the proxying address for Nodes, a bug in the kube-apiserver made it possible to bypass this validation. Bypassing this validation allows authenticated requests destined for Nodes to redirect to the API Server through its private network."], "name": "CVE-2022-3294", "package_state": [{"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Out of support scope", "package_name": "atomic-openshift", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-tests", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2022-11-10T17:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-3294\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-3294\nhttps://github.com/kubernetes/kubernetes/issues/113757"], "statement": "Kubernetes clusters are only affected if an untrusted user can modify Node objects and send requests proxying through them.\nThe \"openshift\" component of Red Hat OpenShift Container Platform 4 was fixed in RHBA-2023:0452 and as such is marked not affected.", "threat_severity": "Moderate", "upstream_fix": "Kubernetes kube-apiserver 1.25.4, Kubernetes kube-apiserver 1.24.8, Kubernetes kube-apiserver 1.23.14, Kubernetes kube-apiserver 1.22.16"}