cbcvebase.
CVE-2022-37968
published 2022-10-11

CVE-2022-37968: Microsoft has identified a vulnerability affecting the cluster connect feature of Azure Arc-enabled Kubernetes clusters. This vulnerability could allow an…

PriorityP269critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
2.59%
83.4th percentile
Microsoft has identified a vulnerability affecting the cluster connect feature of Azure Arc-enabled Kubernetes clusters. This vulnerability could allow an unauthenticated user to elevate their privileges and potentially gain administrative control over the Kubernetes cluster. Additionally, because Azure Stack Edge allows customers to deploy Kubernetes workloads on their devices via Azure Arc, Azure Stack Edge devices are also vulnerable to this vulnerability.

Affected

14 ranges
VendorProductVersion rangeFixed in
microsoftazure_arc-enabled_kubernetes
microsoftazure_arc-enabled_kubernetes
microsoftazure_arc-enabled_kubernetes
microsoftazure_arc-enabled_kubernetes
microsoftazure_arc-enabled_kubernetes_cluster_1.5.8>= 1.0.0 < 1.5.81.5.8
microsoftazure_arc-enabled_kubernetes_cluster_1.6.19>= 1.0.0 < 1.6.191.6.19
microsoftazure_arc-enabled_kubernetes_cluster_1.7.18>= 1.0.0 < 1.7.181.7.18
microsoftazure_arc-enabled_kubernetes_cluster_1.8.11>= 1.0.0 < 1.8.111.8.11
microsoftazure_stack_edge>= 2.2.0 < 2.2.2088.55932.2.2088.5593
msrcazure_arc-enabled_kubernetes_cluster_1.5.8
msrcazure_arc-enabled_kubernetes_cluster_1.6.19
msrcazure_arc-enabled_kubernetes_cluster_1.7.18
msrcazure_arc-enabled_kubernetes_cluster_1.8.11
msrcazure_stack_edge

Detection & IOCsextracted from sources · hover to see the quote

  • Attacker must know the randomly generated external DNS endpoint for an Azure Arc-enabled Kubernetes cluster; monitor for unexpected or anomalous external DNS resolution attempts targeting Arc cluster endpoints
  • Exploitation targets the cluster connect feature of Azure Arc-enabled Kubernetes clusters; monitor cluster-connect API traffic for unauthenticated privilege escalation attempts or unexpected cluster-admin role bindings
  • DNS discovery services may be used by attackers to enumerate Arc cluster endpoints; monitor for external DNS enumeration activity against Arc-related DNS namespaces
  • Scope change impact extends beyond Azure Arc to connected Kubernetes clusters and Azure Stack Edge devices; monitor all three surfaces for unauthorized cluster-admin access
  • ·Vulnerability only affects Azure Arc-enabled Kubernetes agent versions below the fixed thresholds; patched versions are 1.5.8+, 1.6.19+, 1.7.18+, or 1.8.11+ (customers already on 1.8.14 are protected)
  • ·Azure Stack Edge devices are also in scope; the fix requires updating to the 2209 release (software version 2.2.2088.5593)
  • ·Auto-upgrade is enabled by default; customers who manually control updates must act — those with auto-upgrade already enabled are automatically protected
  • ·Exploitation is unauthenticated and internet-facing, requiring only knowledge of the randomly generated DNS endpoint — no credentials or prior access needed

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vendor_msrc10.0CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.