We are pleased to announce that with this release we bring the AKS HCI management cluster to Kubernetes version 1.25.7. This update enables us to set the basis for supporting futures versions of Kubernetes for your workload clusters. Here is a complete list of security updates that are included:
CVE-2023-2728: Bypassing enforce mountable secrets policy imposed by the ServiceAccount admission plugin. This security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers.
Fixed cgroup removal error when using runc binary >= 1.1.6.
runc through 1.1.4 had incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. An attacker if able to spawn two containers with custom volume-mount configurations, would be able to run any custom images.
CVE-2022-3162: Unauthorized read of Custom Resources
A security issue was discovered in Kubernetes where users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group they are not authorized to read.
CVE-2022-3172: Aggregated API server can cause clients to be redirected (SSRF)
A security issue was discovered in kube-apiserver that could allow an attacker controlled aggregated API server to redirect client traffic to any URL. This could lead to the client performing unexpected actions as well as leaking the client's credentials to third parties.There is no mitigation from this issue. Cluster admins should take care to secure aggregated API servers and should not grant access to mutate APIServices to untrusted parties.
CVE-2021-3121: An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/ unmarshal.go lacks certain index validation. This would allow modification of some system files or information and could have reduced performance or interruption in resource availability.
CVE-2023-32681: Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint, allowing a malicious actor to potentially exfiltrate sensitive information.
CVE-2023-29491: allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo
This release includes a few important bug fixes:
It fixes a bug at kube-apiserver start where APIService objects for custom resources could be deleted and recreated.
If kubeadm reset finds no etcd member ID for the peer it removes during the remove-etcd-member phase, it continues immediately to other phases, instead of retrying the phase for up to 3 minutes before continuing.
Kubeadm: fixed a bug where the static pod changes detection logic is inconsistent with kubelet
Fixed incorrect calculation for ResourceQuota with PriorityClass as its scope.
Fixed: the volume is not detached after the pod and PVC objects are deleted
Fixed missing delete events on informer re-lists to ensure all delete events are correctly emitted and using the latest known object state, so that all event handlers and stores always reflect the actual apiserver state as best as possible
Fixed: Route controller should update routes with NodeIP changed
Fixed a regression in the pod binding subresource to honor the metadata.uid precondition. This allows kube-scheduler to ensure it is assigns node names to the same instances of pods it made scheduling decisions for.
Kubelet: Fixed fs quota monitoring on volumes
Fixed data race in kube-scheduler when preemption races with a Pod update
Fixed a bug that caused to panic the apiserver when trying to allocate a Service with a dynamic ClusterIP and it has been configured with Service CIDRs with a /28 mask for IPv4 and a /124 mask for IPv6
Fixed a regression that the scheduler always goes through all Filter plugins.
Optimizing loadbalancer creation with the help of attribute Internal Traffic Policy: Local
Updates golang.org/x/net to fix CVE-2022-41717
Kube-apiserver: resolved a regression that treated 304 Not Modified responses from aggregated API servers as internal errors
As always, you can try AKS on Azure Stack HCI or Windows Server any time even if you do not have the hardware handy using our eval guide to set up AKS on a Windows Server Azure VM.
Once you have downloaded and installed the AKS on Azure Stack HCI or Windows Server Update – you can report any issues you encounter, follow our plans, and check out recently released updates through the AKS hybrid roadmap in GitHub.