CVE-2022-31098
📋 TL;DR
This vulnerability in Weave GitOps allows authenticated remote attackers to view sensitive Kubernetes cluster configurations and service account tokens in plain text from pod logs. Unauthorized attackers can also access this data from external log storage if enabled. All users running vulnerable versions of Weave GitOps are affected.
💻 Affected Systems
- Weave GitOps
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full administrative access to all registered Kubernetes clusters, enabling data theft, resource hijacking, or complete cluster compromise.
Likely Case
Attackers obtain service account tokens and cluster configurations, allowing them to perform unauthorized operations on registered Kubernetes clusters.
If Mitigated
With proper log access controls and network segmentation, impact is limited to authorized users who already have pod log access.
🎯 Exploit Status
Exploitation requires access to pod logs or external log storage. Authenticated access to Weave GitOps or its management cluster is needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v0.8.1-rc.6 or newer
Vendor Advisory: https://github.com/weaveworks/weave-gitops/security/advisories/GHSA-xggc-qprg-x6mw
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Upgrade Weave GitOps to v0.8.1-rc.6 or newer using your deployment method (Helm, kubectl, etc.). 3. Restart all Weave GitOps pods. 4. Verify upgrade completed successfully.
🔧 Temporary Workarounds
No official workaround
allThe vendor states there is no known workaround for this vulnerability.
🧯 If You Can't Patch
- Restrict access to Weave GitOps pod logs using Kubernetes RBAC and network policies.
- Disable or secure external log storage systems and implement strict access controls for log data.
🔍 How to Verify
Check if Vulnerable:
Check Weave GitOps version: kubectl get pods -n <namespace> -l app=weave-gitops -o jsonpath='{.items[*].spec.containers[*].image}'Check Version:
kubectl get pods -n <namespace> -l app=weave-gitops -o jsonpath='{.items[*].spec.containers[*].image}' | grep -o 'v[0-9.]\+'Verify Fix Applied:
Confirm version is v0.8.1-rc.6 or newer and check logs for absence of KubeConfig data during connection errors.📡 Detection & Monitoring
Log Indicators:
- Plain text KubeConfig data in pod logs
- Service account tokens in logs
- Cluster configuration details in error messages
Network Indicators:
- Unauthorized access attempts to log storage systems
- Suspicious API calls to Kubernetes clusters from unexpected sources
SIEM Query:
source="weave-gitops" AND ("kubeconfig" OR "serviceaccount" OR "token:")🔗 References
- https://github.com/weaveworks/weave-gitops/commit/567356f471353fb5c676c77f5abc2a04631d50ca
- https://github.com/weaveworks/weave-gitops/security/advisories/GHSA-xggc-qprg-x6mw
- https://github.com/weaveworks/weave-gitops/commit/567356f471353fb5c676c77f5abc2a04631d50ca
- https://github.com/weaveworks/weave-gitops/security/advisories/GHSA-xggc-qprg-x6mw
