CVE-2024-22032: 
vulnerability analysis and mitigation

CVE-2024-22032 is a vulnerability identified in RKE1 clusters when secrets encryption configuration is enabled. The vulnerability was discovered and disclosed in 2024, affecting RKE1/Rancher Manager versions >= 2.7.0, < 2.7.14 and >=2.8.0, < 2.8.5. The issue causes the cluster to continuously reconcile, during which Kube API secret values are written in plaintext on the AppliedSpec (Rancher Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. It is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The issue specifically occurs during cluster reconciliation when secrets encryption configuration is enabled, causing the Kube API secret values to be exposed in plaintext within the cluster's AppliedSpec (NVD, Rancher Advisory).

The vulnerability allows cluster owners, cluster members, and project members (for projects within the cluster) who have RBAC permissions to view the cluster object from the apiserver to access the entire secrets encryption configuration specific for the cluster in plaintext, but only on the applied spec. This exposure could lead to unauthorized access to sensitive encryption configurations (Rancher Advisory).

The vulnerability has been patched in versions 2.7.14 and 2.8.5 of RKE/Rancher Manager. The fix introduces a new change that copies the AppliedSpec before mutating, ensuring that all references to sensitive data are removed when the cluster is reconciled and the AppliedSpec is set. There are no workarounds available, and users are strongly recommended to upgrade to a patched version as soon as possible (Rancher Advisory).