CVE-2023-35165 : What You Need to Know

AWS CDK EKS overly permissive trust policies lead to Incorrect Authorization.

Understanding CVE-2023-35165

This vulnerability affects AWS Cloud Development Kit (AWS CDK) versions, allowing overly permissive trust policies.

What is CVE-2023-35165?

AWS CDK, specifically

aws-cdk-lib

and

@aws-cdk/aws-eks

, creates two roles with overly permissive trust policies, potentially impacting users.

The Impact of CVE-2023-35165

The vulnerability allows unauthorized actions like executing

kubectl

commands on the cluster, affecting confidentiality and integrity.

Technical Details of CVE-2023-35165

This section provides insights into the vulnerability, affected systems, and exploitation methods.

Vulnerability Description

The

CreationRole

and

default MastersRole

in AWS CDK have overly permissive trust policies, enabling unauthorized access.

Affected Systems and Versions

Users with CDK versions >= 1.57.0 and <= 2.80.0 are affected, specifically

aws-cdk-lib

and

@aws-cdk/aws-eks

.

Exploitation Mechanism

Attackers can exploit the trust policies to perform unauthorized actions like deploying resources and executing commands on the cluster.

Mitigation and Prevention

Learn how to mitigate the risks associated with CVE-2023-35165 and prevent similar security threats.

Immediate Steps to Take

Update to

@aws-cdk/aws-eks

v1.202.0 and

aws-cdk-lib

v2.80.0 to address the vulnerability and restrict trust policies.

Long-Term Security Practices

Regularly monitor and update AWS CDK versions to ensure the latest security patches and fixes are applied.

Patching and Updates

Stay informed about security advisories and promptly apply patches to mitigate security risks.