SUSE update for kubernetes1.23
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2021-25749 CVE-2022-3162 CVE-2022-3294 |
| CWE-ID | CWE-264 CWE-284 CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Containers Module Operating systems & Components / Operating system SUSE Linux Enterprise Server for SAP Applications 15 Operating systems & Components / Operating system SUSE Linux Enterprise Server 15 Operating systems & Components / Operating system SUSE Linux Enterprise Server 15 SP3 LTSS Operating systems & Components / Operating system SUSE Linux Enterprise Real Time 15 Operating systems & Components / Operating system SUSE Linux Enterprise High Performance Computing LTSS 15 Operating systems & Components / Operating system SUSE Linux Enterprise High Performance Computing ESPOS 15 Operating systems & Components / Operating system SUSE Linux Enterprise High Performance Computing 15 Operating systems & Components / Operating system SUSE Enterprise Storage Operating systems & Components / Operating system SUSE Manager Retail Branch Server Operating systems & Components / Operating system SUSE Manager Server Operating systems & Components / Operating system SUSE Manager Proxy Operating systems & Components / Operating system kubernetes1.23-client-debuginfo Operating systems & Components / Operating system package or component kubernetes1.23-client-common Operating systems & Components / Operating system package or component kubernetes1.23-client Operating systems & Components / Operating system package or component |
| Vendor | SUSE |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU71640
Risk: Low
CVSSv3.1: 6.4 [CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-25749
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote user to escalate privileges on the system.
The vulnerability exists due incorrect privilege management. Windows workloads can be executed with the ContainerAdministrator privileges even when the runAsNonRoot option is set to "true".
Update the affected package kubernetes1.23 to the latest version.
Vulnerable software versionsContainers Module: 15-SP4
SUSE Linux Enterprise Server for SAP Applications 15: SP3 - SP4
SUSE Linux Enterprise Server 15: SP3 - SP4
SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3
SUSE Linux Enterprise Real Time 15: SP4
SUSE Linux Enterprise High Performance Computing LTSS 15: SP3
SUSE Linux Enterprise High Performance Computing ESPOS 15: SP3
SUSE Linux Enterprise High Performance Computing 15: SP3 - SP4
SUSE Enterprise Storage: 7.1
SUSE Manager Retail Branch Server: 4.3
SUSE Manager Server: 4.3
SUSE Manager Proxy: 4.3
kubernetes1.23-client-debuginfo: before 1.23.17-150300.7.6.1
kubernetes1.23-client-common: before 1.23.17-150300.7.6.1
kubernetes1.23-client: before 1.23.17-150300.7.6.1
External linkshttp://www.suse.com/support/update/announcement/2023/suse-su-20232292-1/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper access control
EUVDB-ID: #VU71364
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-3162
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. Users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different kind in the same API group they are not authorized to read.
MitigationUpdate the affected package kubernetes1.23 to the latest version.
Vulnerable software versionsContainers Module: 15-SP4
SUSE Linux Enterprise Server for SAP Applications 15: SP3 - SP4
SUSE Linux Enterprise Server 15: SP3 - SP4
SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3
SUSE Linux Enterprise Real Time 15: SP4
SUSE Linux Enterprise High Performance Computing LTSS 15: SP3
SUSE Linux Enterprise High Performance Computing ESPOS 15: SP3
SUSE Linux Enterprise High Performance Computing 15: SP3 - SP4
SUSE Enterprise Storage: 7.1
SUSE Manager Retail Branch Server: 4.3
SUSE Manager Server: 4.3
SUSE Manager Proxy: 4.3
kubernetes1.23-client-debuginfo: before 1.23.17-150300.7.6.1
kubernetes1.23-client-common: before 1.23.17-150300.7.6.1
kubernetes1.23-client: before 1.23.17-150300.7.6.1
External linkshttp://www.suse.com/support/update/announcement/2023/suse-su-20232292-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Input validation error
EUVDB-ID: #VU76474
Risk: Medium
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-3294
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote user to execute arbitrary cod on the system.
The vulnerability exists due to users may have access to secure endpoints in the control plane network. A remote user can trigger the vulnerability and allow authenticated requests destined for Nodes to the API server's private network.
MitigationUpdate the affected package kubernetes1.23 to the latest version.
Vulnerable software versionsContainers Module: 15-SP4
SUSE Linux Enterprise Server for SAP Applications 15: SP3 - SP4
SUSE Linux Enterprise Server 15: SP3 - SP4
SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3
SUSE Linux Enterprise Real Time 15: SP4
SUSE Linux Enterprise High Performance Computing LTSS 15: SP3
SUSE Linux Enterprise High Performance Computing ESPOS 15: SP3
SUSE Linux Enterprise High Performance Computing 15: SP3 - SP4
SUSE Enterprise Storage: 7.1
SUSE Manager Retail Branch Server: 4.3
SUSE Manager Server: 4.3
SUSE Manager Proxy: 4.3
kubernetes1.23-client-debuginfo: before 1.23.17-150300.7.6.1
kubernetes1.23-client-common: before 1.23.17-150300.7.6.1
kubernetes1.23-client: before 1.23.17-150300.7.6.1
External linkshttp://www.suse.com/support/update/announcement/2023/suse-su-20232292-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
