Acknowledged
Created: Apr 29, 2022
Updated: Apr 13, 2026
Resolved Date: Apr 1, 2026
Found In Version: 10.22.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 22
Component/s: Userspace
A security issue was discovered with Kubernetes that could enable users to send network traffic to locations they would otherwise not have access to via a confused deputy attack.
========Wind River Notice========
No upstream code patch exists. The Kubernetes upstream issue remains Open. The only mitigation merged upstream is PR #103704 ([https://github.com/kubernetes/kubernetes/pull/103704], merged into v1.22, 2021-07-20), which removes Endpoints write access from the system:aggregate-to-edit default ClusterRole. This is a RBAC default configuration change, not a code fix, with the following constraints:
* Newly created k8s v1.22+ clusters: automatically mitigated (default RBAC no longer grants Endpoints write to edit/admin roles)
* Clusters upgraded to v1.22+: not affected by this change — manual kubectl auth reconcile required
* k8s < v1.22 clusters: PR #103704 not included — manual RBAC mitigation required
