CVE-2022-3162: Unauthorized read of Custom Resources
First published: Thu Oct 20 2022(Updated: )
A flaw was found in kubernetes. Users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different kind in the same API group they are not authorized to read.
Credit: jordan@liggitt.net
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/openshift | <0:4.12.0-202301042257.p0.g77bec7a.assembly.stream.el9 | 0:4.12.0-202301042257.p0.g77bec7a.assembly.stream.el9 |
| redhat/microshift | <0:4.12.4-202302151633.p0.gb9fe8ac.assembly.4.12.4.el8 | 0:4.12.4-202302151633.p0.gb9fe8ac.assembly.4.12.4.el8 |
| Kubernetes Kubernetes | <=1.22.15 | |
| Kubernetes Kubernetes | >=1.23.0<=1.23.13 | |
| Kubernetes Kubernetes | >=1.24.0<=1.24.7 | |
| Kubernetes Kubernetes | >=1.25.0<=1.25.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/kubernetes/kubernetes/issues/113756
- https://groups.google.com/g/kubernetes-security-announce/c/iUd550j7kjA
- https://security.netapp.com/advisory/ntap-20230511-0004/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2141987
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2141988
- https://access.redhat.com/errata/RHSA-2022:7398
- https://access.redhat.com/security/cve/cve-2022-3162
- https://access.redhat.com/errata/RHSA-2023:0772
- https://bugzilla.redhat.com/show_bug.cgi?id=2136673
- https://www.cve.org/CVERecord?id=CVE-2022-3162 https://nvd.nist.gov/vuln/detail/CVE-2022-3162 https://github.com/kubernetes/kubernetes/issues/113756
Frequently Asked Questions
What is CVE-2022-3162?
CVE-2022-3162 is a vulnerability in Kubernetes that allows users to read custom resources of a different type in the same API group without authorization.
How does CVE-2022-3162 affect clusters?
Clusters are impacted by CVE-2022-3162 if there are 2 or more CustomResourceDefinitions shared cluster-wide and users authorized to list or watch one type of namespaced custom resource can access custom resources of a different type in the same API group without authorization.
What is the severity of CVE-2022-3162?
CVE-2022-3162 has a severity rating of medium with a CVSS score of 6.5.
How can I fix CVE-2022-3162?
To fix CVE-2022-3162, update Kubernetes kube-apiserver to version 1.25.4, 1.24.8, 1.23.14, or 1.22.16, or update Red Hat OpenShift Container Platform to version 4.12.0-202301042257.p0.g77bec7a.assembly.stream.el9, or update microshift to version 4.12.4-202302151633.p0.gb9fe8ac.assembly.4.12.4.el8.
Where can I find more information about CVE-2022-3162?
You can find more information about CVE-2022-3162 at the following references: [Bugzilla - 2141987](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2141987), [Bugzilla - 2141988](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2141988), [Red Hat Security Advisory - RHSA-2022:7398](https://access.redhat.com/errata/RHSA-2022:7398).
- collector/redhat-cve
- collector/nvd-index
- agent/first-publish-date
- agent/type
- agent/softwarecombine
- agent/author
- agent/references
- agent/severity
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-3162
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/title
- agent/description
- agent/event
- agent/trending
- agent/tags
- agent/source
- package-manager/redhat
- vendor/kubernetes
- canonical/kubernetes kubernetes
- version/kubernetes kubernetes/1.22.15
- version/kubernetes kubernetes/1.23.0
- version/kubernetes kubernetes/1.23.13
- version/kubernetes kubernetes/1.24.0
- version/kubernetes kubernetes/1.24.7
- version/kubernetes kubernetes/1.25.0
- version/kubernetes kubernetes/1.25.3