Описание
kyverno verifyImages rule bypass possible with malicious proxy/registry
Impact
Users of Kyverno on versions 1.8.3 or 1.8.4 who use verifyImages rules to verify container image signatures, and do not prevent use of unknown registries.
Patches
This issue has been fixed in version 1.8.5
Workarounds
Configure a Kyverno policy to restrict registries to a set of secure trusted image registries (sample).
References
Ссылки
- https://github.com/kyverno/kyverno/security/advisories/GHSA-m3cq-xcx9-3gvm
- https://nvd.nist.gov/vuln/detail/CVE-2022-47633
- https://github.com/kyverno/kyverno/pull/5713
- https://github.com/kyverno/kyverno/compare/v1.8.4...v1.8.5
- https://github.com/kyverno/kyverno/releases/tag/v1.8.5
- https://kyverno.io/docs/writing-policies/verify-images
- https://kyverno.io/policies/best-practices/restrict_image_registries/restrict_image_registries
- https://pkg.go.dev/vuln/GO-2022-1180
- https://web.archive.org/web/20230426095744/https://kyverno.io/policies/best-practices/restrict_image_registries/restrict_image_registries
Пакеты
github.com/kyverno/kyverno
>= 1.8.3, < 1.8.5
1.8.5
Связанные уязвимости
An image signature validation bypass vulnerability in Kyverno 1.8.3 and 1.8.4 allows a malicious image registry (or a man-in-the-middle attacker) to inject unsigned arbitrary container images into a protected Kubernetes cluster. This is fixed in 1.8.5. This has been fixed in 1.8.5 and mitigations are available for impacted releases.