Microsoft has identified a vulnerability affecting the cluster connect feature of Azure Arc-enabled Kubernetes clusters. This vulnerability could allow an unauthenticated user to elevate their privileges and potentially gain administrative control over the Kubernetes cluster. Additionally, because Azure Stack Edge allows customers to deploy Kubernetes workloads on their devices via Azure Arc, Azure Stack Edge devices are also vulnerable to this vulnerability.
How could an attacker exploit this vulnerability? An attacker who knows the randomly generated external DNS endpoint for an Azure Arc-enabled Kubernetes cluster can exploit this vulnerability from the internet. Successful exploitation of this vulnerability, which affects the cluster connect feature of Azure Arc-enabled Kubernetes clusters, allows an unauthenticated user to elevate their privileges as cluster admins and potentially gain control over the Kubernetes cluster. Azure Stack Edge allows customers to deploy Kubernetes workloads on their devices via Azure Arc; therefore Azure Stack Edge devices are also vulnerable. According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability? The vulnerability is in Azure Arc but could also impact the Kubernetes cluster and Azure Stack Edge that is connected to the vulnerable Azure Arc. See the Security Updates Table for the affected versions of these products. What does Azure Arc do? Azure Arc allows customers to connect on-premises infrastructure (server, Kubernetes, etc.) to Azure for ease of management. Azure Arc simplifies governance and management by delivering a consistent multi-cloud and on-premises management platform. For more information, please see Azure Arc overview. What version of the Azure Arc-enabled Kubernetes cluster addresses this vulnerability? Auto-upgrade is enabled by default for customers using Azure Arc; however, if you manually control your updates, action is required to upgrade to the latest version. Microsoft recommends that customers using Azure Arc-enabled Kubernetes clusters upgrade to agent versions 1.5.8 and above, 1.6.19 and above, 1.7.18 and above, or 1.8.11 and above as appropriate to be protected from this vulnerability. Customers who have already upgrated to version 1.8.14 are already protected from this vulnerability. How do I check which version of the Azure Arc-enabled Kubernetes cluster I am currently using? Gu
<a href="https://github.com/enj">Mo Khan</a> with <a href="https://microsoft.com/">Microsoft</a>, <a href="https://github.com/enj">Mo Khan</a> with <a href="https://microsoft.com/">Microsoft</a>