CVE-2022-43757

Name of the Vulnerable Software and Affected Versions SUSE Rancher versions prior to 2.5.17 SUSE Rancher versions prior to 2.6.10 SUSE Rancher versions prior to 2.7.1

Description A Cleartext Storage of Sensitive Information issue in SUSE Rancher allows users on managed clusters to gain access to credentials. The impact depends on the credentials exposed. This issue affects the storage of sensitive fields, secret tokens, encryption keys, and SSH keys that were still being stored in plaintext directly on Kubernetes objects like Clusters. The exposed credentials are visible in Rancher to authenticated Cluster Owners, Cluster Members, Project Owners, and Project Members of that cluster on the endpoints: "/v1/management.cattle.io.cluster" and "/v1/management.cattle.io.clustertemplaterevisions". The fields that have been addressed by this security fix include Cluster.Spec.RancherKubernetesEngineConfig.Services.KubeAPI.SecretsEncryptionConfig.CustomConfig.Providers[].AESGCM.Keys[].Secret, Cluster.Spec.RancherKubernetesEngineConfig.Services.KubeAPI.SecretsEncryptionConfig.CustomConfig.Providers[].AESCBC.Keys[].Secret, and others.

Recommendations For SUSE Rancher versions prior to 2.5.17, update to version 2.5.17 or later. For SUSE Rancher versions prior to 2.6.10, update to version 2.6.10 or later. For SUSE Rancher versions prior to 2.7.1, update to version 2.7.1 or later. After upgrading to a patched version, check for the ACISecretsMigrated and RKESecretsMigrated conditions on Clusters and ClusterTemplateRevisions to confirm when secrets have been fully migrated off of those objects. As a temporary workaround, consider restricting access to the vulnerable endpoints until a patch is available. Review for potentially leaked credentials and change them if deemed necessary.