CVE-2022-3172 – kube-apiserver can allow an aggregated API server to redirect client traffic to any URL 

A new vulnerability was reported on Sep 16th in kube-apiserver that allows an aggregated API server to redirect client traffic to any URL. As a result, the client may perform unexpected actions and share the API server credentials with third parties.

The aggregated API server extension in Kubernetes API server enables users to extend API server with alternative objects and paths. In contrast to CRDs (custom resource definitions), these objects are not managed by the API server, and all requests to these objects are sent to a handler endpoint.

Prior to the fixes, the API server returned HTTP 3xx responses “as is” to the client. If a malicious endpoint is accessed, the API server will sign his TLS response and redirect the client to the 3xx message content.
To read more

Who is vulnerable? 

All Kubernetes clusters with the following versions that are running aggregated API servers are impacted.

• kube-apiserver v1.25.0
• kube-apiserver v1.24.0 – v1.24.4
• kube-apiserver v1.23.0 – v1.23.10
• kube-apiserver v1.22.0 – v1.22.13
• kube-apiserver <= v1.21.14

Detection and mitigation using Kubescape

Kubescape has developed a dedicated control – C-0089– in the ARMOBest framework verifying if this CVE exists in your cluster.

Please install or update to the latest Kubescape version from GitHub, or via the following command:

curl -s https://raw.githubusercontent.com/armosec/kubescape/master/install.sh | /bin/bash

To learn more

Aggregated API servers are a trusted part of the Kubernetes control plane, and configuring them is a privileged administrative operation. Ensure that only trusted cluster administrators are allowed to create or modify APIService configuration, and follow security best practices with any aggregated API servers that may be in use.

Fixed Versions

• kube-apiserver v1.25.1
• kube-apiserver v1.24.5
• kube-apiserver v1.23.11
• kube-apiserver v1.22.14