CVE-2022–0185: How to Identify at Risk Kernel Versions in Your K8S Cluster
Written By: Andy Suderman
A high-severity vulnerability in the Linux Kernel, CVE-2022–0185, was announced this week. The vulnerability allows a local attacker to cause a denial of service (system crash) or execute arbitrary code.
The kernel fix was released on Jan 18th, and is available in the latest Ubuntu AMIs released on January 18th.
Identify Kernel Version in Kubernetes Clusters
If you are a Fairwinds Insights user, you can check for the kernel versions in your cluster with an OPA Policy. Note that this will require adding additional access for the OPA job to be able to get and list nodes. If you are not yet a Fairwinds Insights user, you can get onto a trial here. We can get you using the software to help with this high-severity vulnerability.
Insights OPA Policy
package fairwindsallowedKernelVersion(elem) {
v := elem.parameters.kernelVersions[_]
elem.status.nodeInfo.kernelVersion == v
}unsupportedKernel[actionItem] {
not allowedKernelVersion(input) actionItem := {
"title": "Kernel Version is Unsupported ",
"description": sprintf("kernel version %s is unsupported", [input.status.nodeInfo.kernelVersion]),
"severity": 0.5, "remediation": "Update the base image version.",
"category": "Security"
}
}
In your YAML, put a list of versions that you will be supporting. For example, if using an Ubuntu AMI in AWS, this kernel version is reported by the nodes using the AMI: 099720109477/ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20220118
parameters:
kernelVersions:
- 5.11.0-1027-aws
targets:
- apiGroups:
- ''
kinds:
- NodeYou can check what version of the kernel is reported in the node status using:
kubectl get nodes -o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.status.nodeInfo.kernelVersion}{"\n"}{end}'
