msrc_cve-2022-37968
Vulnerability from csaf_microsoft
Published
2022-10-11 07:00
Modified
2022-10-11 07:00
Summary
Azure Arc-enabled Kubernetes cluster Connect Elevation of Privilege Vulnerability
Notes
Additional Resources
To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle
Disclaimer
The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Customer Action
Required. The vulnerability documented by this CVE requires customer action to resolve.
{
"document": {
"acknowledgments": [
{
"names": [
"\u003ca href=\"https://github.com/enj\"\u003eMo Khan\u003c/a\u003e with \u003ca href=\"https://microsoft.com/\"\u003eMicrosoft\u003c/a\u003e"
]
},
{
"names": [
"\u003ca href=\"https://github.com/enj\"\u003eMo Khan\u003c/a\u003e with \u003ca href=\"https://microsoft.com/\"\u003eMicrosoft\u003c/a\u003e"
]
}
],
"aggregate_severity": {
"namespace": "https://www.microsoft.com/en-us/msrc/security-update-severity-rating-system",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Public",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
"title": "Additional Resources"
},
{
"category": "legal_disclaimer",
"text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
"title": "Disclaimer"
},
{
"category": "general",
"text": "Required. The vulnerability documented by this CVE requires customer action to resolve.",
"title": "Customer Action"
}
],
"publisher": {
"category": "vendor",
"contact_details": "secure@microsoft.com",
"name": "Microsoft Security Response Center",
"namespace": "https://msrc.microsoft.com"
},
"references": [
{
"category": "self",
"summary": "CVE-2022-37968 Azure Arc-enabled Kubernetes cluster Connect Elevation of Privilege Vulnerability - HTML",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37968"
},
{
"category": "self",
"summary": "CVE-2022-37968 Azure Arc-enabled Kubernetes cluster Connect Elevation of Privilege Vulnerability - CSAF",
"url": "https://msrc.microsoft.com/csaf/2022/msrc_cve-2022-37968.json"
},
{
"category": "external",
"summary": "Microsoft Exploitability Index",
"url": "https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1"
},
{
"category": "external",
"summary": "Microsoft Support Lifecycle",
"url": "https://support.microsoft.com/lifecycle"
},
{
"category": "external",
"summary": "Common Vulnerability Scoring System",
"url": "https://www.first.org/cvss"
}
],
"title": "Azure Arc-enabled Kubernetes cluster Connect Elevation of Privilege Vulnerability",
"tracking": {
"current_release_date": "2022-10-11T07:00:00.000Z",
"generator": {
"date": "2025-01-02T21:26:57.289Z",
"engine": {
"name": "MSRC Generator",
"version": "1.0"
}
},
"id": "msrc_CVE-2022-37968",
"initial_release_date": "2022-10-11T07:00:00.000Z",
"revision_history": [
{
"date": "2022-10-11T07:00:00.000Z",
"legacy_version": "1",
"number": "1",
"summary": "Information published."
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c1.8.11",
"product": {
"name": "Azure Arc-enabled Kubernetes cluster 1.8.11 \u003c1.8.11",
"product_id": "2"
}
},
{
"category": "product_version",
"name": "1.8.11",
"product": {
"name": "Azure Arc-enabled Kubernetes cluster 1.8.11 1.8.11",
"product_id": "12092"
}
}
],
"category": "product_name",
"name": "Azure Arc-enabled Kubernetes cluster 1.8.11"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c1.7.18",
"product": {
"name": "Azure Arc-enabled Kubernetes cluster 1.7.18 \u003c1.7.18",
"product_id": "3"
}
},
{
"category": "product_version",
"name": "1.7.18",
"product": {
"name": "Azure Arc-enabled Kubernetes cluster 1.7.18 1.7.18",
"product_id": "12091"
}
}
],
"category": "product_name",
"name": "Azure Arc-enabled Kubernetes cluster 1.7.18"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c1.5.8",
"product": {
"name": "Azure Arc-enabled Kubernetes cluster 1.5.8 \u003c1.5.8",
"product_id": "5"
}
},
{
"category": "product_version",
"name": "1.5.8",
"product": {
"name": "Azure Arc-enabled Kubernetes cluster 1.5.8 1.5.8",
"product_id": "12089"
}
}
],
"category": "product_name",
"name": "Azure Arc-enabled Kubernetes cluster 1.5.8"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c1.6.19",
"product": {
"name": "Azure Arc-enabled Kubernetes cluster 1.6.19 \u003c1.6.19",
"product_id": "4"
}
},
{
"category": "product_version",
"name": "1.6.19",
"product": {
"name": "Azure Arc-enabled Kubernetes cluster 1.6.19 1.6.19",
"product_id": "12090"
}
}
],
"category": "product_name",
"name": "Azure Arc-enabled Kubernetes cluster 1.6.19"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c2.2.2088.5593",
"product": {
"name": "Azure Stack Edge \u003c2.2.2088.5593",
"product_id": "1"
}
},
{
"category": "product_version",
"name": "2.2.2088.5593",
"product": {
"name": "Azure Stack Edge 2.2.2088.5593",
"product_id": "12093"
}
}
],
"category": "product_name",
"name": "Azure Stack Edge"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-37968",
"notes": [
{
"category": "general",
"text": "Microsoft",
"title": "Assigning CNA"
},
{
"category": "faq",
"text": "An attacker who knows the randomly generated external DNS endpoint for an Azure Arc-enabled Kubernetes cluster can exploit this vulnerability from the internet. Successful exploitation of this vulnerability, which affects the cluster connect feature of Azure Arc-enabled Kubernetes clusters, allows an unauthenticated user to elevate their privileges as cluster admins and potentially gain control over the Kubernetes cluster. Azure Stack Edge allows customers to deploy Kubernetes workloads on their devices via Azure Arc; therefore Azure Stack Edge devices are also vulnerable.",
"title": "How could an attacker exploit this vulnerability?"
},
{
"category": "faq",
"text": "The vulnerability is in Azure Arc but could also impact the Kubernetes cluster and Azure Stack Edge that is connected to the vulnerable Azure Arc.\nSee the Security Updates Table for the affected versions of these products.",
"title": "According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?"
},
{
"category": "faq",
"text": "Azure Arc allows customers to connect on-premises infrastructure (server, Kubernetes, etc.) to Azure for ease of management. Azure Arc simplifies governance and management by delivering a consistent multi-cloud and on-premises management platform. For more information, please see Azure Arc overview.",
"title": "What does Azure Arc do?"
},
{
"category": "faq",
"text": "Auto-upgrade is enabled by default for customers using Azure Arc; however, if you manually control your updates, action is required to upgrade to the latest version. Microsoft recommends that customers using Azure Arc-enabled Kubernetes clusters upgrade to agent versions 1.5.8 and above, 1.6.19 and above, 1.7.18 and above, or 1.8.11 and above as appropriate to be protected from this vulnerability. Customers who have already upgrated to version 1.8.14 are already protected from this vulnerability.\nGuidance is available in the Check agent version section of Upgrade Azure Arc-enabled Kubernetes agents.\nGuidance is available in the Check if automatic upgrade is enabled on a cluster section of Upgrade Azure Arc-enabled Kubernetes agents.\n.\nHow do I protect myself from this vulnerability?\nCustomers with Auto-Upgrade enabled have been updated automatically and are protected. If you do not have auto-upgrade enabled, manually update to the latest version.\nUpgrade guidance is available in Manually upgrade agents section of Upgrade Azure Arc-enabled Kubernetes agents., For more information on Azure Arc-enabled Kubernetes cluster upgrade, see Toggle automatic upgrade on or off after connecting a cluster to Azure Arc.\nCustomers using Azure Stack Edge must update to the 2209 release (software version 2.2.2088.5593). Release notes for the 2209 release of Azure Stack Edge can be found here: Azure Stack Edge 2209 release notes.",
"title": "What version of the Azure Arc-enabled Kubernetes cluster addresses this vulnerability?"
},
{
"category": "faq",
"text": "Azure Stack Edge Pro 2 is a new generation of an AI-enabled edge computing device offered as a service from Microsoft. This article provides you an overview of the Azure Stack Edge Pro 2 solution. For more information on Azure Stack Edge, please see What is Azure Stack Edge Pro 2?.",
"title": "What does Azure Stack Edge do?"
},
{
"category": "faq",
"text": "Azure Arc-enabled Kubernetes allows you to attach and configure Kubernetes clusters running anywhere. You can connect your clusters running on other public cloud providers (such as GCP or AWS) or clusters running on your on-premises data center (such as VMware vSphere or Azure Stack HCI) to Azure Arc. For more information please see What is Azure Arc-enabled Kubernetes?.",
"title": "What does Azure Arc-enabled Kubernetes cluster do?"
}
],
"product_status": {
"fixed": [
"12089",
"12090",
"12091",
"12092",
"12093"
],
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2022-37968 Azure Arc-enabled Kubernetes cluster Connect Elevation of Privilege Vulnerability - HTML",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37968"
},
{
"category": "self",
"summary": "CVE-2022-37968 Azure Arc-enabled Kubernetes cluster Connect Elevation of Privilege Vulnerability - CSAF",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37968"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2022-10-11T07:00:00.000Z",
"details": "1.8.11:Security Update:https://learn.microsoft.com/en-us/azure/azure-arc/data/release-notes",
"product_ids": [
"2"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-arc/data/release-notes"
},
{
"category": "vendor_fix",
"date": "2022-10-11T07:00:00.000Z",
"details": "1.7.18:Security Update:https://learn.microsoft.com/en-us/azure/azure-arc/data/release-notes",
"product_ids": [
"3"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-arc/data/release-notes"
},
{
"category": "vendor_fix",
"date": "2022-10-11T07:00:00.000Z",
"details": "1.5.8:Security Update:https://learn.microsoft.com/en-us/azure/azure-arc/data/release-notes",
"product_ids": [
"5"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-arc/data/release-notes"
},
{
"category": "vendor_fix",
"date": "2022-10-11T07:00:00.000Z",
"details": "1.6.19:Security Update:https://learn.microsoft.com/en-us/azure/azure-arc/data/release-notes",
"product_ids": [
"4"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-arc/data/release-notes"
},
{
"category": "vendor_fix",
"date": "2022-10-11T07:00:00.000Z",
"details": "2.2.2088.5593:Security Update:https://learn.microsoft.com/en-us/azure/databox-online/azure-stack-edge-gpu-2209-release-notes",
"product_ids": [
"1"
],
"url": "https://learn.microsoft.com/en-us/azure/databox-online/azure-stack-edge-gpu-2209-release-notes"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalsScore": 0.0,
"exploitCodeMaturity": "UNPROVEN",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"remediationLevel": "OFFICIAL_FIX",
"reportConfidence": "CONFIRMED",
"scope": "CHANGED",
"temporalScore": 8.7,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"threats": [
{
"category": "impact",
"details": "Elevation of Privilege"
},
{
"category": "exploit_status",
"details": "Exploited:No;Latest Software Release:Exploitation Less Likely;Older Software Release:Exploitation Less Likely"
}
],
"title": "Azure Arc-enabled Kubernetes cluster Connect Elevation of Privilege Vulnerability"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…