CVE-2022-0567
📋 TL;DR
This vulnerability in ovn-kubernetes allows administrators or privileged attackers to create egress network policies that bypass existing ingress policies, potentially exposing pods that should be isolated. This can lead to information disclosure and unauthorized access to sensitive pod data. The issue affects Kubernetes clusters using ovn-kubernetes for network policy enforcement.
💻 Affected Systems
- ovn-kubernetes
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete cluster compromise through lateral movement, data exfiltration from all pods, and privilege escalation across the entire Kubernetes environment.
Likely Case
Targeted information disclosure from specific pods, unauthorized access to internal services, and potential data leakage from applications running in vulnerable pods.
If Mitigated
Limited impact due to network segmentation, pod security policies, and monitoring that detects unusual egress policy creation.
🎯 Exploit Status
Exploitation requires administrative or privileged access to create network policies, making it more of a privilege escalation/abuse issue than a remote code execution vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Red Hat Bugzilla 2053326 for specific fixed versions
Vendor Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=2053326
Restart Required: Yes
Instructions:
1. Update ovn-kubernetes to the patched version. 2. Restart ovn-kubernetes components. 3. Verify network policies are functioning correctly.
🔧 Temporary Workarounds
Restrict Network Policy Creation
linuxImplement RBAC controls to limit who can create or modify NetworkPolicy resources
kubectl apply -f network-policy-rbac.yaml
Audit Existing Egress Policies
linuxReview and validate all existing egress network policies for potential bypass configurations
kubectl get networkpolicies --all-namespaces -o yaml | grep -A5 -B5 egress
🧯 If You Can't Patch
- Implement strict RBAC controls to limit NetworkPolicy creation to trusted administrators only
- Enable comprehensive auditing of all NetworkPolicy changes and monitor for suspicious egress policy creation
🔍 How to Verify
Check if Vulnerable:
Check ovn-kubernetes version and compare against patched versions in Red Hat advisoryCheck Version:
kubectl get pods -n ovn-kubernetes -o jsonpath='{.items[*].spec.containers[*].image}' | grep ovn-kubernetesVerify Fix Applied:
Test that egress policies no longer bypass ingress policies by creating test policies and verifying isolation📡 Detection & Monitoring
Log Indicators:
- Unusual NetworkPolicy creation events
- Administrative users creating multiple egress policies
- Failed pod isolation attempts
Network Indicators:
- Unexpected network traffic between pods that should be isolated
- Pods communicating on unexpected ports
SIEM Query:
event.category:kubernetes AND kubernetes.object:NetworkPolicy AND kubernetes.verb:create