Headline
CVE-2022-28224: Security Bulletins – TTA-2022-001
Clusters using Calico (version 3.22.1 and below), Calico Enterprise (version 3.12.0 and below), may be vulnerable to route hijacking with the floating IP feature. Due to insufficient validation, a privileged attacker may be able to set a floating IP annotation to a pod even if the feature is not enabled. This may allow the attacker to intercept and reroute traffic to their compromised pod.
Return to List
Description
Severity
Notes
Calico Enterprise & Calico OS are vulnerable to pod route hijacking
Reference: TTA-2022-001
Date published: 2022-June-1
Medium
N/A
Description
Customers running Calico Enterprise and Calico OS are vulnerable to route hijacking with the floating IP feature. Due to insufficient validation, a privileged attacker is able to set a floating IP annotation to a pod even if the feature is not enabled. This allows the attacker to intercept and reroute traffic to their compromised pod.
CVE-2022-28224 has been assigned to this vulnerability.
Severity
MEDIUM
The validation on using floating IP can be bypassed by annotating the pod directly after pod creation. The routing will be reverted when the annotated pod is destroyed or the annotation is removed. This vulnerability requires the Kubernetes RBAC permission of [“patch”, “pods”] to annotate pods.
Affected Releases
- Calico Enterprise v3.12 and below
- Calico OS v3.22 and below
Indicators of Impact/Compromise
Review running pods and identify if floating IP annotations are present.
Workaround / Remediation
Review Kubernetes RBAC and review access to [“patch”, “pods”].
Fixed Software
- Calico Enterprise
- V3.13.0 and above
- v3.12.1
- v3.11.4
- Calico OS
- V3.22.2 and above
- v3.21.5
- v.3.20.5
Acknowledgment
We would like to acknowledge Aloys Augustin from Cisco for reporting this issue.
Return to List