We are pleased to announce that with this release we bring the AKS HCI management cluster to Kubernetes version 1.25.7. This update enables us to set the basis for supporting futures versions of Kubernetes for your workload clusters. Here is a complete list of security updates that are included:
Security Updates
CVE-2023-2728: Bypassing enforce mountable secrets policy imposed by the ServiceAccount admission plugin. This security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers.
CVE-2023-27561 CVE-2023-25809 CVE-2023-28642: Bump fix runc v1.1.4 -> v1.1.5
Fixed cgroup removal error when using runc binary >= 1.1.6.
runc through 1.1.4 had incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. An attacker if able to spawn two containers with custom volume-mount configurations, would be able to run any custom images.
CVE-2022-3162: Unauthorized read of Custom Resources
A security issue was discovered in Kubernetes where users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group they are not authorized to read.
CVE-2022-3172: Aggregated API server can cause clients to be redirected (SSRF)
A security issue was discovered in kube-apiserver that could allow an attacker controlled aggregated API server to redirect client traffic to any URL. This could lead to the client performing unexpected actions as well as leaking the client's credentials to third parties.There is no mitigation from this issue. Cluster admins should take care to secure aggregated API servers and should not grant access to mutate APIServices to untrusted parties.
CVE-2021-3121: An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/ unmarshal.go lacks certain index validation. This would allow modification of some system files or information and could have reduced performance or interruption in resource availability.
CVE-2023-32681: Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint, allowing a malicious actor to potentially exfiltrate sensitive information.
CVE-2023-29491: allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo
This release includes a few important bug fixes:
As always, you can try AKS on Azure Stack HCI or Windows Server any time even if you do not have the hardware handy using our eval guide to set up AKS on a Windows Server Azure VM.
Once you have downloaded and installed the AKS on Azure Stack HCI or Windows Server Update – you can report any issues you encounter, follow our plans, and check out recently released updates through the AKS hybrid roadmap in GitHub.
We look forward to hearing from you all!
Cheers,
AKS Hybrid Team
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.