Kubernetes - v1.24.5
Changelog since v1.24.4
Important Security Information
This release contains changes that address the following vulnerabilities:
CVE-2022-3172: Aggregated API server can cause clients to be redirected (SSRF)
A security issue was discovered in kube-apiserver that could allow an attacker controlled aggregated API server to redirect client traffic to any URL. This could lead to the client performing unexpected actions as well as leaking the client's credentials to third parties.
There is no mitigation from this issue. Cluster admins should take care to secure aggregated API servers and should not grant access to mutate APIServices to untrusted parties.
Affected Versions:
- kube-apiserver v1.25.0
- kube-apiserver v1.24.0 - v1.24.4
- kube-apiserver v1.23.0 - v1.23.10
- kube-apiserver v1.22.0 - v1.22.14
- kube-apiserver <= v1.21.?
Fixed Versions:
- kube-apiserver v1.25.1
- kube-apiserver v1.24.5
- kube-apiserver v1.23.11
- kube-apiserver v1.22.14
This vulnerability was reported by Nicolas Joly & Weinong Wang from Microsoft
CVSS Rating: Medium (5.1) CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L
CVE-2021-25749: runAsNonRoot logic bypass for Windows containers
A security issue was discovered in Kubernetes that could allow Windows workloads to run as ContainerAdministrator even when those workloads set the runAsNonRoot option to true.
This issue has been rated low and assigned CVE-2021-25749
Am I vulnerable?
All Kubernetes clusters with following versions, running Windows workloads with runAsNonRoot are impacted
Affected Versions
- kubelet v1.20 - v1.21
- kubelet v1.22.0 - v1.22.13
- kubelet v1.23.0 - v1.23.10
- kubelet v1.24.0 - v1.24.4
How do I mitigate this vulnerability?
There are no known mitigations to this vulnerability.
Fixed Versions
- kubelet v1.22.14
- kubelet v1.23.11
- kubelet v1.24.5
- kubelet v1.25.0
To upgrade, refer to this documentation For core Kubernetes: https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster
Detection
Kubernetes Audit logs may indicate if the user name was misspelled to bypass the restriction placed on which user is a pod allowed to run as.
If you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io
Additional Details
See the GitHub issue for more details: https://github.com/kubernetes/kubernetes/issues/112192
Acknowledgements
This vulnerability was reported and fixed by Mark Rosetti (@marosset)
CVSS Rating: Low (3.4) CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
Changes by Kind
API Change
- Revert regression that prevented client-go latency metrics to be reported with a template URL to avoid label cardinality. (#112056, @aanm) [SIG API Machinery]
Feature
- Kubernetes is now built with Go 1.18.6 (#112322, @palnabarun) [SIG Release and Testing]
Bug or Regression
- Fix an ephemeral port exhaustion bug caused by improper connection management that occurred when a large number of objects were handled by kubectl while exec auth was in use. (#112337, @enj) [SIG API Machinery and Auth]
- Fix problem in updating VolumeAttached in node status (#112304, @xing-yang) [SIG Apps]
- Kube-apiserver: redirect responses are no longer returned from backends by default. Set
--aggregator-reject-forwarding-redirect=falseto continue forwarding redirect responses. (#112331, @enj) [SIG API Machinery] - UserName check for 'ContainerAdministrator' is now case-insensitive if runAsNonRoot is set to true on Windows. (#112211, @PushkarJ) [SIG Node, Testing and Windows]
Dependencies
Added
Nothing has changed.
Changed
- github.com/google/cel-go: v0.10.1 → v0.10.2
Removed
Nothing has changed.
Security
Details
- 🔍View and search all Kubernetes releases.
- 🛠️Create and share lists to track your tools.
- 🚨Setup notifications for major, security, feature or patch updates.
- 🚀Much more coming soon!