CVE-2023-2727: Bypassing policies imposed by the ImagePolicyWebhook admission plugin
First published: Wed May 31 2023(Updated: )
A security issue was discovered in Kubernetes where users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers. This issue affects kube-apiserver. Clusters are impacted by this vulnerability if: 1. The ImagePolicyWebhook admission plugin is used to restrict the use of certain images and 2. Pods using ephemeral containers.
Credit: jordan@liggitt.net jordan@liggitt.net
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Kubernetes Kubernetes | <=1.24.14 | |
| Kubernetes Kubernetes | >=1.25.0<=1.25.10 | |
| Kubernetes Kubernetes | >=1.26.0<=1.26.5 | |
| Kubernetes Kubernetes | >=1.27.0<=1.27.2 | |
| redhat/kube-apiserver | <1.27.3 | 1.27.3 |
| redhat/kube-apiserver | <1.26.6 | 1.26.6 |
| redhat/kube-apiserver | <1.25.11 | 1.25.11 |
| redhat/kube-apiserver | <1.24.15 | 1.24.15 |
Remedy
To mitigate this vulnerability, upgrade Kubernetes: https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2023/07/06/2
- https://github.com/kubernetes/kubernetes/issues/118640
- https://groups.google.com/g/kubernetes-security-announce/c/vPWYJ_L84m8
- https://security.netapp.com/advisory/ntap-20230803-0004/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2215200
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2215202
- https://access.redhat.com/errata/RHSA-2023:5008
- https://bugzilla.redhat.com/show_bug.cgi?id=2211322
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2023-2727.
How does this vulnerability affect Kubernetes clusters?
Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers.
What is the severity of CVE-2023-2727?
The severity of CVE-2023-2727 is medium, with a severity value of 6.5.
How can I fix CVE-2023-2727?
To fix CVE-2023-2727, users should update to Kubernetes versions 1.24.15, 1.25.11, 1.26.6, or 1.27.3 or later.
Where can I find more information about CVE-2023-2727?
More information about CVE-2023-2727 can be found at the following references: [link1], [link2], [link3].
- collector/nvd-index
- agent/references
- agent/author
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- agent/weakness
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-2727
- agent/software-canonical-lookup
- collector/nvd-api
- agent/software-canonical-lookup-request
- agent/remedy
- agent/title
- agent/severity
- agent/event
- agent/tags
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/source
- vendor/kubernetes
- canonical/kubernetes kubernetes
- version/kubernetes kubernetes/1.24.14
- version/kubernetes kubernetes/1.25.0
- version/kubernetes kubernetes/1.25.10
- version/kubernetes kubernetes/1.26.0
- version/kubernetes kubernetes/1.26.5
- version/kubernetes kubernetes/1.27.0
- version/kubernetes kubernetes/1.27.2
- package-manager/redhat