CVE-2022-45157

Name of the Vulnerable Software and Affected Versions Rancher versions prior to 2.8.9 Rancher versions prior to 2.9.3 Rancher versions 2.7.0 through 2.7.x

Description A vulnerability has been identified in the way that Rancher stores vSphere's CPI (Cloud Provider Interface) and CSI (Container Storage Interface) credentials used to deploy clusters through the vSphere cloud provider. This issue leads to the vSphere CPI and CSI passwords being stored in a plaintext object inside Rancher. The exposed passwords were accessible in the following objects: provisioning.cattle.io in spec.rkeConfig.chartValues.rancher-vsphere-cpi and spec.rkeConfig.chartValues.rancher-vsphere-csi, and rke.cattle.io.rkecontrolplane in spec.chartValues.rancher-vsphere-cpi and spec.chartValues.rancher-vsphere-csi. The vulnerability is only applicable to users that deploy clusters in vSphere environments.

Recommendations For Rancher versions prior to 2.8.9, update to version 2.8.9 or later and execute the script provided in the support tools to mitigate any vulnerable leftover vSphere clusters' credentials. For Rancher versions prior to 2.9.3, update to version 2.9.3 or later and execute the script provided in the support tools to mitigate any vulnerable leftover vSphere clusters' credentials. For Rancher versions 2.7.0 through 2.7.x, update to one of the patched versions by following the standard update procedure based on the 2.7 version that is being used. Enable the provisioningprebootstrap feature flag after updating to one of the patched versions. As a temporary workaround, consider restricting access to Rancher to trusted users and not allowing direct access to untrusted users to the clusters' infrastructure.