CVE-2022-35930 is a vulnerability in the sigstore project's policy-controller component, specifically affecting versions prior to 0.2.1. PolicyController is a Kubernetes admission controller utility designed to enforce supply chain security policies by verifying cryptographic attestations on container images before they are admitted into a cluster. The vulnerability arises from improper verification of cryptographic signatures (CWE-347), where the controller incorrectly admits images if there is at least one attestation with a valid signature, even when there are no attestations of the specific type being verified. By default, the verification type is set to "custom". This logic flaw results in false positives, allowing potentially unverified or malicious images to be admitted into the Kubernetes cluster, bypassing intended supply chain security policies. An example image demonstrating this issue is provided (`ghcr.io/distroless/static@sha256:dd7614b5a12bc4d617b223c588b4e0c833402b8f4991fb5702ea83afad1986e2`). The vulnerability can be resolved by upgrading to version 0.2.1 of policy-controller. There are no known workarounds for users unable to upgrade, and no known exploits have been reported in the wild as of the publication date. This vulnerability impacts the integrity of the admission control process in Kubernetes clusters, potentially allowing unauthorized or unverified container images to run, which could lead to supply chain compromise or execution of malicious code within the cluster environment.

For European organizations relying on Kubernetes clusters with sigstore's policy-controller versions prior to 0.2.1, this vulnerability undermines the integrity of supply chain security enforcement. Attackers or malicious insiders could exploit this flaw to deploy container images that bypass signature verification policies, potentially introducing malware, backdoors, or unauthorized code into production environments. This could lead to data breaches, service disruptions, or lateral movement within the network. Given the increasing adoption of Kubernetes in critical infrastructure, finance, healthcare, and government sectors across Europe, the risk of supply chain attacks exploiting this vulnerability could have significant operational and reputational consequences. The false positive admission weakens trust in the supply chain verification process, increasing the attack surface for supply chain compromise. Although no known exploits are reported, the ease of exploitation due to the logic flaw and lack of required user interaction means that attackers with access to the cluster or image repository could leverage this vulnerability effectively.

1. Immediate upgrade of policy-controller to version 0.2.1 or later is essential to remediate the vulnerability. 2. Implement strict access controls and monitoring on Kubernetes admission controllers and image registries to detect anomalous admission events or image deployments. 3. Use additional layers of supply chain security such as image scanning, runtime protection, and anomaly detection to compensate for potential gaps in admission control. 4. Regularly audit Kubernetes cluster configurations and admission policies to ensure they align with security best practices and that no unauthorized changes have been made. 5. For organizations unable to upgrade immediately, consider isolating affected clusters or limiting deployment of untrusted images until the patch can be applied. 6. Educate DevOps and security teams on the importance of verifying policy-controller versions and monitoring for related security advisories. 7. Employ multi-factor authentication and role-based access control (RBAC) to reduce the risk of unauthorized image uploads or policy modifications.