diff --git a/CHANGELOG/CHANGELOG-1.24.md b/CHANGELOG/CHANGELOG-1.24.md index feb0a0518ba..84ef532a75f 100644 --- a/CHANGELOG/CHANGELOG-1.24.md +++ b/CHANGELOG/CHANGELOG-1.24.md @@ -9,6 +9,7 @@ - [Container Images](#container-images) - [Changelog since v1.24.7](#changelog-since-v1247) - [Important Security Information](#important-security-information) + - [CVE-2022-3162: Unauthorized read of Custom Resources](#cve-2022-3162-unauthorized-read-of-custom-resources) - [CVE-2022-3294: Node address isn't always verified when proxying](#cve-2022-3294-node-address-isnt-always-verified-when-proxying) - [Changes by Kind](#changes-by-kind) - [API Change](#api-change) @@ -57,7 +58,7 @@ - [Changelog since v1.24.4](#changelog-since-v1244) - [Important Security Information](#important-security-information-1) - [CVE-2022-3172: Aggregated API server can cause clients to be redirected (SSRF)](#cve-2022-3172-aggregated-api-server-can-cause-clients-to-be-redirected-ssrf) - - [CVE-2021-25749: runAsNonRoot logic bypass for Windows containers](#cve-2021-25749-runasnonroot-logic-bypass-for-windows-containers) + - [CVE-2021-25749: `runAsNonRoot` logic bypass for Windows containers](#cve-2021-25749-runasnonroot-logic-bypass-for-windows-containers) - [Am I vulnerable?](#am-i-vulnerable) - [Affected Versions](#affected-versions) - [How do I mitigate this vulnerability?](#how-do-i-mitigate-this-vulnerability) @@ -364,6 +365,28 @@ name | architectures This release contains changes that address the following vulnerabilities: +### CVE-2022-3162: Unauthorized read of Custom Resources + +A security issue was discovered in Kubernetes where users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group they are not authorized to read. + +**Affected Versions**: + - kube-apiserver v1.25.0 - v1.25.3 + - kube-apiserver v1.24.0 - v1.24.7 + - kube-apiserver v1.23.0 - v1.23.13 + - kube-apiserver v1.22.0 - v1.22.15 + - kube-apiserver <= v1.21.? + +**Fixed Versions**: + - kube-apiserver v1.25.4 + - kube-apiserver v1.24.8 + - kube-apiserver v1.23.13 + - kube-apiserver v1.22.16 + +This vulnerability was reported by Richard Turnbull of NCC Group as part of the Kubernetes Audit + + +**CVSS Rating:** Medium (6.5) [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) + ### CVE-2022-3294: Node address isn't always verified when proxying A security issue was discovered in Kubernetes where users may have access to secure endpoints in the control plane network. Kubernetes clusters are only affected if an untrusted user can to modify Node objects and send requests proxying through them.