Fairwinds | Blog

CVE-2022-0185: How to Identify at Risk Kernel Versions in Your K8S Cluster

Written by Andy Suderman | Jan 21, 2022 8:02:36 PM

A high-severity vulnerability in the Linux Kernel, CVE-2022-0185, was announced this week. The vulnerability allows a local attacker to cause a denial of service (system crash) or execute arbitrary code.

The kernel fix was released on Jan 18th, and is available in the latest Ubuntu AMIs released on January 18th.

Identify Kernel Version in Kubernetes Clusters

If you are a Fairwinds Insights user, you can check for the kernel versions in your cluster with an OPA Policy. Note that this will require adding additional access for the OPA job to be able to get and list nodes. If you are not yet a Fairwinds Insights user, you can sign up for free here. We can get you using the software to help with this high-severity vulnerability. 

Insights OPA Policy

package fairwinds

allowedKernelVersion(elem) {
    v := elem.parameters.kernelVersions[_]
    elem.status.nodeInfo.kernelVersion == v
}

unsupportedKernel[actionItem] {
    not allowedKernelVersion(input)
   
    actionItem := {
        "title": "Kernel Version is Unsupported ",
        "description": sprintf("kernel version %s is unsupported", [input.status.nodeInfo.kernelVersion]),
        "severity": 0.5,
        "remediation": "Update the base image version.",
        "category": "Security"
    }
}

 

In your YAML, put a list of versions that you will be supporting. For example, if using an Ubuntu AMI in AWS, this kernel version is reported by the nodes using the AMI: 099720109477/ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20220118

 

parameters:
  kernelVersions:
    - 5.11.0-1027-aws
targets:
  - apiGroups:
      - ''
    kinds:
      - Node

You can check what version of the kernel is reported in the node status using:

kubectl get nodes -o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.status.nodeInfo.kernelVersion}{"\n"}{end}'