CVE-2022-2385: [Security Advisory] CVE-2022-2385: AccessKeyID validation bypass

Hausler, Micah

unread,

Jul 11, 2022, 6:40:08 PM (yesterday) Jul 11

to kubernete…@googlegroups.com, d…@kubernetes.io, kubernetes-sec…@googlegroups.com, kubernetes-se…@googlegroups.com, distributo…@kubernetes.io, kubernetes+a…@discoursemail.com

Hello Kubernetes Community,

A security issue was discovered in aws-iam-authenticator where an allow-listed IAM identity may be able to modify their username and escalate privileges.

This issue has been rated high (https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), and assigned CVE-2022-2385

Am I vulnerable?

Users are only affected if they use the AccessKeyID template parameter to construct a username and provide different levels of access based on the username.

Affected Versions

• v0.5.2 - v0.5.8

How do I mitigate this vulnerability?

Upgrading to v0.5.9 mitigates this vulnerability.

Prior to upgrading, this vulnerability can be mitigated by not using the {{AccessKeyID}} template value to construct usernames.

Fixed Versions

• aws-iam-authenticator v0.5.9

Detection

This issue affected the logged identity, and is not discernible from valid requests.

Additional Details

See the GitHub issue for more details: https://github.com/kubernetes-sigs/aws-iam-authenticator/issues/472

Acknowledgements

This vulnerability was reported by Gafnit Amiga from Lightspin

Micah Hausler

Principal Engineer

Amazon Web Services