Pdellamore

**Name of the Vulnerable Software and Affected Versions** Rancher versions prior to 2.7.14 Rancher versions prior to 2.8.5 **Description** A vulnerability has been identified in which Rancher does not automatically clean up a user which has been deleted from the configured authentication provider. This also applies to disabled or revoked users, and may leave the user’s tokens still usable. An adversary may gain unauthorized access as the user’s access privileges may still be active within Rancher even though they are no longer valid on the configured authentication provider. **Recommendations** For versions prior to 2.7.14, update to version 2.7.14 or later to address the issue. For versions prior to 2.8.5, update to version 2.8.5 or later to address the issue. As a temporary workaround, consider manually deleting or disabling inactive users via kubectl or the UI to reflect changes made on the authentication provider. Enable the new user retention process to run periodically and disable and/or delete inactive users, and configure the retention period as needed. Regularly audit the authentication provider’s user accounts for activity and manually deactivate or remove them from Rancher if they are no longer needed.

**Name of the Vulnerable Software and Affected Versions** Rancher versions 2.7.0 through 2.7.13 Rancher versions 2.8.0 through 2.8.4 **Description** A vulnerability has been identified whereby privilege escalation checks are not properly enforced for RoleTemplate objects when external=true, which in specific scenarios can lead to privilege escalation. **Recommendations** For Rancher versions 2.7.0 through 2.7.13, update to version 2.7.14 or later. For Rancher versions 2.8.0 through 2.8.4, update to version 2.8.5 or later. As a temporary workaround, consider restricting access to External RoleTemplates to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Rancher RKE1 versions 2.7.0 through 2.7.13 Rancher RKE1 versions 2.8.0 through 2.8.4 **Description** A vulnerability has been identified in which an RKE1 cluster keeps constantly reconciling when secrets encryption configuration is enabled. When reconciling, the Kube API secret values are written in plaintext on the AppliedSpec. Cluster owners, Cluster members, and Project members (for projects within the cluster), all have RBAC permissions to view the cluster object from the apiserver. **Recommendations** For Rancher RKE1 versions 2.7.0 through 2.7.13, update to version 2.7.14 or later to resolve the issue. For Rancher RKE1 versions 2.8.0 through 2.8.4, update to version 2.8.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the cluster object from the apiserver to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Rancher Kubernetes Engine (RKE) versions prior to 1.4.19 Rancher Kubernetes Engine (RKE) versions prior to 1.5.10 Rancher versions prior to 2.7.14 Rancher versions prior to 2.8.5 **Description** The issue is related to the storage of cluster state in a configmap called `full-cluster-state` inside the `kube-system` namespace of the cluster itself. This cluster state object contains sensitive data, including SSH private keys, cloud provider credentials, and encryption keys. Non-admin users can escalate to admin by accessing this configmap. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited. Technical details about exploitation include: - API Endpoints: Not specified - Vulnerable Parameters or Variables: `full-cluster-state` configmap, `RancherKubernetesEngineConfig`, `RKENodeConfig`, `SSH username`, `SSH private key`, `SSH private key path`, `RKEConfigServices`, `ETCDService`, `External client key`, `BackupConfig`, `S3BackupConfig`, `AWS access key`, `AWS secret key`, `KubeAPIService`, `SecretsEncryptionConfig`, `K8s encryption configuration`, `PrivateRegistries`, `User`, `Password`, `ECRCredentialPlugin`, `AWS access key`, `AWS secret key`, `AWS session token`, `CloudProvider`, `AzureCloudProvider`, `AAD client ID`, `AAD client secret`, `AAD client cert password`, `OpenstackCloudProvider`, `Username`, `User ID`, `Password`, `VsphereCloudProvider`, `GlobalVsphereOpts`, `User`, `Password`, `VirtualCenterConfig`, `User`, `Password`, `HarvesterCloudProvider`, `CloudConfig`, `CustomCloudProvider`, `BastionHost`, `User`, `SSH key`, `CertificatesBundle`, `Private key`, `EncryptionConfig`, `Private key` - Function Names: Not specified **Recommendations** For RKE versions prior to 1.4.19, upgrade to version 1.4.19 or later. For RKE versions prior to 1.5.10, upgrade to version 1.5.10 or later. For Rancher versions prior to 2.7.14, upgrade to version 2.7.14 or later. For Rancher versions prior to 2.8.5, upgrade to version 2.8.5 or later. As a temporary workaround, consider restricting access to the `full-cluster-state` configmap to minimize the risk of exploitation.