Security update for kubernetes1.23 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:1404-1 Final 1 1 2024-04-23T14:52:51Z current 2024-04-23T14:52:51Z 2024-04-23T14:52:51Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for kubernetes1.23 This update for kubernetes1.23 fixes the following issues: - CVE-2024-3177: Fixed bypass of mountable secrets policy imposed by the ServiceAccount admission plugin (bsc#1222539) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2024-1404,SUSE-SLE-Module-Containers-15-SP5-2024-1404,openSUSE-SLE-15.5-2024-1404 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20241404-1/ Link for SUSE-SU-2024:1404-1 https://lists.suse.com/pipermail/sle-updates/2024-April/035069.html E-Mail link for SUSE-SU-2024:1404-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1222539 SUSE Bug 1222539 https://www.suse.com/security/cve/CVE-2024-3177/ SUSE CVE CVE-2024-3177 page SUSE Linux Enterprise Module for Containers 15 SP5 openSUSE Leap 15.5 kubernetes1.23-apiserver-1.23.17-150500.3.12.1 kubernetes1.23-client-1.23.17-150500.3.12.1 kubernetes1.23-client-bash-completion-1.23.17-150500.3.12.1 kubernetes1.23-client-common-1.23.17-150500.3.12.1 kubernetes1.23-client-fish-completion-1.23.17-150500.3.12.1 kubernetes1.23-controller-manager-1.23.17-150500.3.12.1 kubernetes1.23-kubeadm-1.23.17-150500.3.12.1 kubernetes1.23-kubelet-1.23.17-150500.3.12.1 kubernetes1.23-kubelet-common-1.23.17-150500.3.12.1 kubernetes1.23-proxy-1.23.17-150500.3.12.1 kubernetes1.23-scheduler-1.23.17-150500.3.12.1 kubernetes1.23-client-1.23.17-150500.3.12.1 as a component of SUSE Linux Enterprise Module for Containers 15 SP5 kubernetes1.23-client-common-1.23.17-150500.3.12.1 as a component of SUSE Linux Enterprise Module for Containers 15 SP5 kubernetes1.23-apiserver-1.23.17-150500.3.12.1 as a component of openSUSE Leap 15.5 kubernetes1.23-client-1.23.17-150500.3.12.1 as a component of openSUSE Leap 15.5 kubernetes1.23-client-bash-completion-1.23.17-150500.3.12.1 as a component of openSUSE Leap 15.5 kubernetes1.23-client-common-1.23.17-150500.3.12.1 as a component of openSUSE Leap 15.5 kubernetes1.23-client-fish-completion-1.23.17-150500.3.12.1 as a component of openSUSE Leap 15.5 kubernetes1.23-controller-manager-1.23.17-150500.3.12.1 as a component of openSUSE Leap 15.5 kubernetes1.23-kubeadm-1.23.17-150500.3.12.1 as a component of openSUSE Leap 15.5 kubernetes1.23-kubelet-1.23.17-150500.3.12.1 as a component of openSUSE Leap 15.5 kubernetes1.23-kubelet-common-1.23.17-150500.3.12.1 as a component of openSUSE Leap 15.5 kubernetes1.23-proxy-1.23.17-150500.3.12.1 as a component of openSUSE Leap 15.5 kubernetes1.23-scheduler-1.23.17-150500.3.12.1 as a component of openSUSE Leap 15.5 A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated. The policy ensures pods running with a service account may only reference secrets specified in the service account's secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with containers, init containers, and ephemeral containers with the envFrom field populated. CVE-2024-3177 SUSE Linux Enterprise Module for Containers 15 SP5:kubernetes1.23-client-1.23.17-150500.3.12.1 SUSE Linux Enterprise Module for Containers 15 SP5:kubernetes1.23-client-common-1.23.17-150500.3.12.1 openSUSE Leap 15.5:kubernetes1.23-apiserver-1.23.17-150500.3.12.1 openSUSE Leap 15.5:kubernetes1.23-client-1.23.17-150500.3.12.1 openSUSE Leap 15.5:kubernetes1.23-client-bash-completion-1.23.17-150500.3.12.1 openSUSE Leap 15.5:kubernetes1.23-client-common-1.23.17-150500.3.12.1 openSUSE Leap 15.5:kubernetes1.23-client-fish-completion-1.23.17-150500.3.12.1 openSUSE Leap 15.5:kubernetes1.23-controller-manager-1.23.17-150500.3.12.1 openSUSE Leap 15.5:kubernetes1.23-kubeadm-1.23.17-150500.3.12.1 openSUSE Leap 15.5:kubernetes1.23-kubelet-1.23.17-150500.3.12.1 openSUSE Leap 15.5:kubernetes1.23-kubelet-common-1.23.17-150500.3.12.1 openSUSE Leap 15.5:kubernetes1.23-proxy-1.23.17-150500.3.12.1 openSUSE Leap 15.5:kubernetes1.23-scheduler-1.23.17-150500.3.12.1 low 2.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241404-1/ https://www.suse.com/security/cve/CVE-2024-3177.html CVE-2024-3177 https://bugzilla.suse.com/1222539 SUSE Bug 1222539