Impact
Users of Kyverno on versions 1.8.3 or 1.8.4 who use verifyImages rules to verify container image signatures, and do not prevent use of unknown registries.
Patches
This issue has been fixed in version 1.8.5
Workarounds
Configure a Kyverno policy to restrict registries to a set of secure trusted image registries (sample).
References
References
- https://github.com/kyverno/kyverno/security/advisories/GHSA-m3cq-xcx9-3gvm
- https://github.com/kyverno/kyverno/pull/5713
- https://github.com/kyverno/kyverno/releases/tag/v1.8.5
- https://kyverno.io/policies/best-practices/restrict_image_registries/restrict_image_registries/
- https://nvd.nist.gov/vuln/detail/CVE-2022-47633
- https://github.com/kyverno/kyverno/compare/v1.8.4…v1.8.5
- https://kyverno.io/docs/writing-policies/verify-images/
- https://github.com/advisories/GHSA-m3cq-xcx9-3gvm