CVE-2023-22651: Critical flaw affects Rancher open source container management platform

by do son · Published April 24, 2023 · Updated April 24, 2023

In the rapidly evolving world of containerization, Rancher has emerged as a popular open-source container management platform. It simplifies Kubernetes deployment and enables organizations to meet IT requirements while empowering DevOps teams. However, a recently discovered security vulnerability in the Rancher admission Webhook update logic has raised alarms.

The CVE-2023-22651 (CVSS score of 9.9) Vulnerability: Misconfiguration in Rancher’s Admission Webhook

The root of the issue lies in Rancher’s admission Webhook, a component responsible for enforcing validation rules and security checks before resources are admitted into the Kubernetes cluster. A failure in the update logic may lead to the misconfiguration of this crucial Webhook, which in turn impairs its validation capabilities.

The Consequences: Privilege Escalations and Data Corruption

With the Webhook operating in a degraded state, resources are no longer validated, opening the door for severe privilege escalations and data corruption. As a result, the security and integrity of the Kubernetes cluster are jeopardized.

Who’s Affected: Upgraded Rancher Users

Detecting the Issue: Identifying Affected Rancher Instances

To determine if your Rancher instance is affected, run the following command on the local cluster:

$ kubectl get validatingwebhookconfigurations.admissionregistration.k8s.io rancher.cattle.io

If the output displays a webhook quantity of 0, your Rancher instance is vulnerable:

NAME WEBHOOKS AGE
rancher.cattle.io 0 19h

The Solution: Patches and Workarounds

The Rancher team has promptly released patches to address this vulnerability, with version 2.7.3 and later versions incorporating the necessary fixes.

For those unable to update to a patched version, a recommended workaround is to manually reconfigure the Webhook using the provided script. Note that the script must be run from inside the local cluster or with a kubeconfig pointing to the local cluster with admin permissions.

#!/bin/bash



set -euo pipefail



function prereqs() {

    if ! [ -x "$(command -v kubectl)" ]; then

      echo "error: kubectl is not installed." >&2

      exit 1

    fi



    if [[ -z "$(kubectl config view -o jsonpath='{.clusters[].cluster.server}')" ]]; then

        echo "error: No kubernetes cluster found on kubeconfig." >&2

        exit 1

    fi

}



function restart_deployment(){

    kubectl rollout restart deployment rancher-webhook -n cattle-system

    kubectl rollout status deployment rancher-webhook -n cattle-system --timeout=30s

}



function workaround() {

    echo "Cluster: $(kubectl config view -o jsonpath='{.clusters[].cluster.server}')"



    if ! kubectl get validatingwebhookconfigurations.admissionregistration.k8s.io rancher.cattle.io > /dev/null 2>&1; then

        echo "webhook rancher.cattle.io not found, restarting deployment:"

        restart_deployment



        echo "waiting for webhook configuration"

        sleep 15s

    fi



    local -i webhooks

    webhooks="$(kubectl get validatingwebhookconfigurations.admissionregistration.k8s.io rancher.cattle.io --no-headers | awk '{ print $2 }')"



    if [ "${webhooks}" == "0" ]; then

        echo "Webhook misconfiguration status: Cluster is affected by CVE-2023-22651"

        

        echo "Running workaround:"

        kubectl delete validatingwebhookconfiguration rancher.cattle.io

        restart_deployment



        ret=$?

        if [ $ret -eq 0 ]; then

            echo "Webhook restored, CVE-2023-22651 is fixed"

        else

            echo "error trying to restart deployment. try again in a few seconds."

        fi

    else

        echo "Webhook misconfiguration status: not present (skipping)"

    fi



    echo "Done"

}



function main() {

    prereqs

    workaround

}



main

CVE-2023-22651: Critical flaw affects Rancher open source container management platform

Search

Brilliantly

Content & Links