CVE-2023-32191: rke's credentials are stored in the RKE1 Cluster state ConfigMap
(updated )
When RKE provisions a cluster, it stores the cluster state in a configmap called full-cluster-state inside the kube-system namespace of the cluster itself. This cluster state object contains information used to set up the K8s cluster, which may include the following sensitive data:
- RancherKubernetesEngineConfig
- RKENodeConfig
- SSH username
- SSH private key
- SSH private key path
- RKEConfigServices
- ETCDService
- External client key
- BackupConfig
- S3BackupConfig
- AWS access key
- AWS secret key
- KubeAPIService
- SecretsEncryptionConfig
- K8s encryption configuration (contains encryption keys)
- PrivateRegistries
- User
- Password
- ECRCredentialPlugin
- AWS access key
- AWS secret key
- AWS session token
- CloudProvider
- AzureCloudProvider
- AAD client ID
- AAD client secret
- AAD client cert password
- OpenstackCloudProvider
- Username
- User ID
- Password
- VsphereCloudProvider
- GlobalVsphereOpts
- User
- Password
- VirtualCenterConfig
- User
- Password
- HarvesterCloudProvider
- CloudConfig
- CustomCloudProvider
- BastionHost
- User
- SSH key
- CertificatesBundle
- Private key
- EncryptionConfig
- Private key
References
- bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32191
- github.com/advisories/GHSA-6gr4-52w6-vmqx
- github.com/rancher/rke
- github.com/rancher/rke/commit/cf49199481a1891909acb1384eed73a5c987d5bd
- github.com/rancher/rke/commit/f7485b8dce376db0fc15a7c3ceb3de7029c8d0cf
- github.com/rancher/rke/security/advisories/GHSA-6gr4-52w6-vmqx
- nvd.nist.gov/vuln/detail/CVE-2023-32191
Detect and mitigate CVE-2023-32191 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →