CVE-2022-37968

FAQ

How could an attacker exploit this vulnerability?

An attacker who knows the randomly generated external DNS endpoint for an Azure Arc-enabled Kubernetes cluster can exploit this vulnerability from the internet. Successful exploitation of this vulnerability, which affects the cluster connect feature of Azure Arc-enabled Kubernetes clusters, allows an unauthenticated user to elevate their privileges as cluster admins and potentially gain control over the Kubernetes cluster. Azure Stack Edge allows customers to deploy Kubernetes workloads on their devices via Azure Arc; therefore Azure Stack Edge devices are also vulnerable.

According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?

The vulnerability is in Azure Arc but could also impact the Kubernetes cluster and Azure Stack Edge that is connected to the vulnerable Azure Arc.

See the Security Updates Table for the affected versions of these products.

What does Azure Arc do?

Azure Arc allows customers to connect on-premises infrastructure (server, Kubernetes, etc.) to Azure for ease of management. Azure Arc simplifies governance and management by delivering a consistent multi-cloud and on-premises management platform. For more information, please see Azure Arc overview.

What version of the Azure Arc-enabled Kubernetes cluster addresses this vulnerability?

Auto-upgrade is enabled by default for customers using Azure Arc; however, if you manually control your updates, action is required to upgrade to the latest version. Microsoft recommends that customers using Azure Arc-enabled Kubernetes clusters upgrade to agent versions 1.5.8 and above, 1.6.19 and above, 1.7.18 and above, or 1.8.11 and above as appropriate to be protected from this vulnerability. Customers who have already upgrated to version 1.8.14 are already protected from this vulnerability.

How do I check which version of the Azure Arc-enabled Kubernetes cluster I am currently using?

Guidance is available in the Check agent version section of Upgrade Azure Arc-enabled Kubernetes agents.

How do I validate whether I have auto-upgrade turned on?

Guidance is available in the Check if automatic upgrade is enabled on a cluster section of Upgrade Azure Arc-enabled Kubernetes agents. . How do I protect myself from this vulnerability?

Customers with Auto-Upgrade enabled have been updated automatically and are protected. If you do not have auto-upgrade enabled, manually update to the latest version.

• Upgrade guidance is available in Manually upgrade agents section of Upgrade Azure Arc-enabled Kubernetes agents.

• For more information on Azure Arc-enabled Kubernetes cluster upgrade, see Toggle automatic upgrade on or off after connecting a cluster to Azure Arc.

What version of the Azure Stack Edge cluster addresses this vulnerability?

Customers using Azure Stack Edge must update to the 2209 release (software version 2.2.2088.5593). Release notes for the 2209 release of Azure Stack Edge can be found here: Azure Stack Edge 2209 release notes.

What does Azure Stack Edge do?

Azure Stack Edge Pro 2 is a new generation of an AI-enabled edge computing device offered as a service from Microsoft. This article provides you an overview of the Azure Stack Edge Pro 2 solution. For more information on Azure Stack Edge, please see What is Azure Stack Edge Pro 2?.

What does Azure Arc-enabled Kubernetes cluster do?

Azure Arc-enabled Kubernetes allows you to attach and configure Kubernetes clusters running anywhere. You can connect your clusters running on other public cloud providers (such as GCP or AWS) or clusters running on your on-premises data center (such as VMware vSphere or Azure Stack HCI) to Azure Arc. For more information please see What is Azure Arc-enabled Kubernetes?.