CVE-2022-35930 in PolicyController
Summary
by MITRE • 08/05/2022
PolicyController is a utility used to enforce supply chain policy in Kubernetes clusters. In versions prior to 0.2.1 PolicyController will report a false positive, resulting in an admission when it should not be admitted when there is at least one attestation with a valid signature and there are NO attestations of the type being verified (--type defaults to "custom"). An example image that can be used to test this is `ghcr.io/distroless/static@sha256:dd7614b5a12bc4d617b223c588b4e0c833402b8f4991fb5702ea83afad1986e2`. Users should upgrade to version 0.2.1 to resolve this issue. There are no workarounds for users unable to upgrade.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 08/30/2022
The CVE-2022-35930 vulnerability affects PolicyController, a critical utility designed to enforce supply chain security policies within Kubernetes environments. This tool operates as an admission controller that validates container images against established security policies before allowing them to be deployed. The flaw exists in versions prior to 0.2.1 where the system exhibits incorrect behavior during policy evaluation, specifically when processing image attestations. The vulnerability manifests as a false positive condition that incorrectly blocks legitimate image admissions, creating a significant operational disruption for Kubernetes cluster administrators who rely on proper supply chain security enforcement.
The technical root cause of this vulnerability lies in how PolicyController handles attestation validation logic when multiple attestations exist for the same image. When an image contains at least one attestation with a valid signature but no attestations of the specific type being verified, the system incorrectly determines that admission should be denied. This occurs because the default verification type (--type) is set to "custom" and the validation logic fails to properly distinguish between valid signatures that should permit admission and the absence of required attestation types that should trigger rejection. The affected image `ghcr.io/distroless/static@sha256:dd7614b5a12bc4d617b223c588b4e0c833402b8f4991fb5702ea83afad1986e2` serves as a test case demonstrating this flawed behavior where legitimate signatures are incorrectly interpreted as policy violations.
This vulnerability directly impacts the operational security posture of Kubernetes clusters by creating false positives that block legitimate deployments while potentially allowing malicious images to bypass detection. The flaw represents a critical gap in the supply chain security enforcement mechanism, as it undermines the fundamental purpose of policy verification. From a cybersecurity perspective, this issue creates a false sense of security while simultaneously weakening the overall defense-in-depth strategy. The vulnerability's impact is particularly concerning because it affects the core admission control functionality that prevents unauthorized or unverified images from entering production environments, potentially enabling supply chain attacks that could compromise cluster integrity and data security.
The recommended mitigation involves upgrading to PolicyController version 0.2.1, which contains the corrected validation logic that properly handles attestation scenarios. This upgrade addresses the fundamental flaw in how the system processes multiple attestations and ensures that valid signatures are properly recognized as sufficient evidence for admission approval. Organizations unable to upgrade immediately face a critical operational challenge as no viable workarounds exist to address this specific validation logic error. The vulnerability's classification aligns with CWE-252, which describes "Unchecked Return Value" conditions where the system fails to properly validate inputs or return values from security checks. This issue also relates to ATT&CK technique T1556.002, "Modify Authentication Process," as it affects the authentication and authorization mechanisms within Kubernetes admission control, potentially allowing attackers to exploit the false positive behavior to either block legitimate deployments or bypass security controls through strategic image manipulation.
Organizations should implement immediate monitoring and validation procedures to identify any instances where this vulnerability has impacted their cluster operations, particularly focusing on admission audit logs and policy enforcement metrics. The upgrade process should be prioritized in all environments where PolicyController is actively used for supply chain security enforcement. Security teams must also review their existing policies and procedures to ensure that any false positive incidents related to this vulnerability have been properly addressed and that their incident response protocols account for similar supply chain security validation failures. This vulnerability underscores the importance of proper validation in security tools and demonstrates how seemingly minor logic errors in admission controllers can have significant operational and security implications across enterprise Kubernetes deployments.