Not sure if this is a topic for Kubernetes Korner or Cyber Security Space.
Microsoft has found a security vulnerability in Azure Arc which allows attackers, if they find out the randomly generated DNS name, to elevate their privileges to those of a cluster administrator.
This has been given an impressive CVSS score of 10 from 10.
In additon Azure Stack Edge devices are also affected by this issue.
Azure Arc can be used to connect and manage Kubernetes clusters in different locations.
So with this vulnerability an attacker could gain control over the Kubernetes clusters.
Remediation
If you have auto-upgrade enabled (default), then you should already be safe.
If not, or if you want to check anyways, the following agent versions are protected agains this vulnerability, according to Microsoft:
- 1.5.8 and above
- 1.6.19 and above
- 1.7.18 and above
- 1.8.11 and above
For Azure Stack Edge, you must update to release 2209 (software version 2.2.2088.5593)
More information and a detailed description to check whether you're affected can be found here:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37968
