CVE-2022-45157
📋 TL;DR
CVE-2022-45157 is a high-severity vulnerability where Rancher stores vSphere CPI and CSI credentials in plaintext objects. This allows attackers with access to Rancher to read sensitive vSphere passwords. Only users who deploy Kubernetes clusters in vSphere environments are affected.
💻 Affected Systems
- Rancher
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain vSphere administrative credentials, enabling complete compromise of vSphere infrastructure and all managed clusters.
Likely Case
Attackers with Rancher access extract vSphere credentials to escalate privileges within the vSphere environment.
If Mitigated
With proper access controls and monitoring, credential exposure is detected before exploitation.
🎯 Exploit Status
Exploitation requires access to Rancher's API or UI where plaintext credentials are stored.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Rancher 2.6.12, 2.7.2 and later
Vendor Advisory: https://github.com/rancher/rancher/security/advisories/GHSA-xj7w-r753-vj8v
Restart Required: Yes
Instructions:
1. Backup Rancher configuration. 2. Upgrade to Rancher 2.6.12 or 2.7.2+. 3. Restart Rancher services. 4. Rotate all vSphere CPI/CSI credentials.
🔧 Temporary Workarounds
Credential Rotation
allRotate vSphere credentials to limit exposure window
# Rotate vSphere credentials through vCenter management
Access Restriction
allRestrict Rancher access to authorized personnel only
# Implement network segmentation and RBAC controls
🧯 If You Can't Patch
- Implement strict RBAC to limit who can access Rancher cluster configuration
- Monitor Rancher API access logs for credential extraction attempts
🔍 How to Verify
Check if Vulnerable:
Check Rancher version: if using vSphere provider and version <2.6.12 or <2.7.2, you are vulnerable.Check Version:
kubectl get pods -n cattle-system -l app=rancher -o jsonpath='{.items[0].spec.containers[0].image}' | grep -o 'rancher/rancher:[^ ]*'Verify Fix Applied:
Confirm Rancher version is 2.6.12+ or 2.7.2+ and verify vSphere credentials are no longer stored in plaintext objects.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access to Rancher API endpoints related to cloud credentials
- Multiple failed authentication attempts followed by credential access
Network Indicators:
- Unusual outbound connections from Rancher to vSphere infrastructure
SIEM Query:
source="rancher" AND ("cloudcredential" OR "vsphere" OR "cpi" OR "csi") AND ("GET" OR "POST")