CVE-2022-3294: 
AKS Node Linux vulnerability analysis and mitigation

A security issue (CVE-2022-3294) was discovered in Kubernetes where users may have access to secure endpoints in the control plane network. The vulnerability affects Kubernetes clusters where untrusted users can modify Node objects and send proxy requests to them. While Kubernetes supports node proxying and validates proxying addresses for Nodes, a bug in kube-apiserver made it possible to bypass this validation, potentially allowing authenticated requests destined for Nodes to access the API server's private network. This vulnerability was rated Medium with a CVSS score of 8.8 (High) (Kubernetes Issue, Kubernetes Discussion).

The vulnerability affects Kubernetes kube-apiserver versions <= v1.25.3, v1.24.7, v1.23.13, and v1.22.15. The issue stems from a validation bypass in the node proxying feature, which normally allows kube-apiserver clients to access Kubelet endpoints for Pod connections and container log retrieval. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H, indicating network attack vector with high complexity and high privileges required (Kubernetes Issue).

The vulnerability can affect clusters where the kube-apiserver has connectivity to endpoints that users should not be able to access, including: kube-apiserver in a separate network from worker nodes, localhost services, and mTLS services that accept the same client certificate as nodes. The severity depends on the privileges and sensitivity of the exploitable endpoints. Successful exploitation could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS) (Kubernetes Issue).

The primary mitigation is upgrading the kube-apiserver to fixed versions: v1.25.4, v1.24.8, v1.23.14, or v1.22.16. Alternatively, configuring an egress proxy for egress to the cluster network can mitigate this vulnerability. It's important to note that the fix may break clients that depend on the nodes/proxy subresource, specifically if a kubelet advertises a localhost or link-local address to the Kubernetes control plane (Kubernetes Issue).

The vulnerability was reported by Yuval Avrahami of Palo Alto Networks and was publicly disclosed on November 10, 2022. The Kubernetes Security Response Committee coordinated the response and release of patches (Kubernetes Discussion).