CVE-2023-30617: 
vulnerability analysis and mitigation

CVE-2023-30617 affects Kruise, a system that provides automated management of large-scale applications on Kubernetes. The vulnerability was discovered in version 0.8.0 and affects versions prior to 1.3.1, 1.4.1, and 1.5.2. This security issue allows an attacker with root privileges on a node running kruise-daemon to access sensitive cluster-wide information (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N. The issue is classified under CWE-269 (Improper Privilege Management) and CWE-250 (Execution with Unnecessary Privileges). The technical root cause stems from the kruise-daemon pod having excessive permissions to list all secrets across the entire cluster (NVD).

An attacker who has gained root privilege on a node running kruise-daemon can leverage the pod to list all secrets in the entire cluster. Subsequently, the attacker can use the captured secrets, such as the kruise-manager service account token, to gain additional privileges including pod modification capabilities (GitHub Advisory).

The issue has been patched in versions 1.3.1, 1.4.1, and 1.5.2. Users are advised to upgrade to these versions based on their current deployment version. For users who cannot immediately upgrade and do not require imagepulljob functions, a workaround is available by modifying kruise-daemon-role to remove the cluster-level secret get/list privilege (GitHub Advisory).