CVE-2022-24877
📋 TL;DR
This path traversal vulnerability in Flux's kustomize-controller allows attackers to read sensitive files from the controller's pod filesystem by exploiting malicious kustomization.yaml files. It affects multi-tenant Flux deployments where users can submit kustomization manifests, potentially leading to privilege escalation. Organizations using Flux for Kubernetes continuous delivery are affected.
💻 Affected Systems
- Flux kustomize-controller
- Flux2
📦 What is this software?
Flux2 by Fluxcd
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the kustomize-controller pod, exposure of all filesystem contents including secrets and configuration, and privilege escalation to cluster-level access in multi-tenant environments.
Likely Case
Unauthorized access to sensitive configuration files, secrets, and credentials stored in the controller's filesystem, potentially enabling lateral movement within the cluster.
If Mitigated
Limited impact with proper network segmentation, pod security policies, and restricted access to kustomization.yaml submission capabilities.
🎯 Exploit Status
Exploitation requires ability to submit kustomization.yaml files to the controller. The vulnerability is straightforward to exploit once an attacker has this capability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: kustomize-controller v0.24.0, flux2 v0.29.0
Vendor Advisory: https://github.com/fluxcd/flux2/security/advisories/GHSA-j77r-2fxf-5jrw
Restart Required: Yes
Instructions:
1. Update Flux2 to v0.29.0 or later using flux CLI: flux install --version=v0.29.0. 2. Alternatively, update kustomize-controller to v0.24.0 or later. 3. Restart the kustomize-controller deployment.
🔧 Temporary Workarounds
CI/CD Pipeline Validation
allImplement automated validation of kustomization.yaml files in CI/CD pipelines to ensure they don't contain path traversal patterns.
# Example using yq to check for suspicious patterns
yq eval '.resources[]' kustomization.yaml | grep -E '\.\./|/etc/|/proc/'
🧯 If You Can't Patch
- Implement strict RBAC policies to limit who can submit kustomization.yaml files to the controller
- Deploy network policies to isolate the kustomize-controller pod and limit its filesystem access
🔍 How to Verify
Check if Vulnerable:
Check kustomize-controller version: kubectl get pods -n flux-system -l app=kustomize-controller -o jsonpath='{.items[*].spec.containers[*].image}'Check Version:
kubectl get pods -n flux-system -l app=kustomize-controller -o jsonpath='{.items[*].spec.containers[*].image}'Verify Fix Applied:
Confirm version is v0.24.0 or later: kubectl get pods -n flux-system -l app=kustomize-controller -o jsonpath='{.items[*].spec.containers[*].image}' | grep -E 'v0\.(2[4-9]|[3-9][0-9])'📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns in kustomize-controller logs
- Errors related to file path resolution
- Multiple failed attempts to access restricted paths
Network Indicators:
- Unusual outbound connections from kustomize-controller pod
- Attempts to exfiltrate data from the controller
SIEM Query:
source="kustomize-controller" AND ("..\/" OR "/etc/" OR "/proc/")