CVE-2022-21951: Rancher's weave CNI password is not configured when a cluster is created from an RKE template

This vulnerability only affects customers using Weave CNI (Container Network Interface) when configured through RKE templates.

A flaw was discovered in Rancher versions from 2.5.0 up to and including 2.5.13 and from 2.6.0 up to and including 2.6.4, where a UI (user interface) issue with RKE templates does not include a value for the Weave password when Weave is chosen as the CNI.

If a cluster is created based on the mentioned template and Weave is configured as the CNI, no password will be created for network encryption in Weave, therefore network traffic in the cluster will be sent unencrypted.

This issue does not happen when a cluster, with Weave configured as CNI, is created without using an RKE template.

The impact of this vulnerability is higher when nodes on the cluster are on different locations and communicate with one another through the Internet, where monitoring (sniffing) of the network traffic by third-party entities can be more easily achieved.