CVE-2022-21953

Name of the Vulnerable Software and Affected Versions SUSE Rancher versions prior to 2.5.17 SUSE Rancher versions prior to 2.6.10 SUSE Rancher versions prior to 2.7.1

Description A Missing Authorization vulnerability in SUSE Rancher allows an authenticated user to create an unauthorized shell pod and have limited kubectl access in the local cluster. This issue occurs due to an authorization logic flaw, allowing users to open a shell pod in the Rancher local cluster and have limited kubectl access to it, even if they were not explicitly granted such access. The vulnerability can be exploited in two ways: by intercepting a web request to change the shell's destination to the Rancher local cluster, or by modifying the server cluster address in a kubeconfig file to point to the Rancher local cluster. The severity of this issue is reduced because the shell pod runs with a limited non-root user, but it is still possible to download and run binaries inside the shell pod.

Recommendations For SUSE Rancher versions prior to 2.5.17, update to version 2.5.17 or later. For SUSE Rancher versions prior to 2.6.10, update to version 2.6.10 or later. For SUSE Rancher versions prior to 2.7.1, update to version 2.7.1 or later. As a temporary workaround, consider restricting access to the local cluster and limiting network access to reduce the blast radius of this issue. Additionally, enabling API audit logs can help identify possible abuses of this issue by tracking API requests to the user ID of the user that performed the action.