CVE-2022-36085 is a vulnerability identified in the Open Policy Agent (OPA), an open-source, general-purpose policy engine widely used for policy-based control in cloud-native environments and infrastructure automation. The vulnerability stems from a protection mechanism failure (CWE-693) related to the deprecated `WithUnsafeBuiltins` function in the Rego compiler. This function was designed to reject unsafe built-in functions during policy compilation. However, a bypass exists due to the introduction of the `with` keyword in OPA version 0.40.0, which allows users to mock built-in functions. The `WithUnsafeBuiltins` function does not account for this mocking capability, enabling potentially unsafe built-in functions to be used despite the intended restrictions. Exploiting this vulnerability requires multiple specific conditions to be met, including the use of the `WithUnsafeBuiltins` function in conjunction with the `with` keyword to circumvent the safety checks. The issue affects OPA versions from 0.40.0 up to, but not including, 0.43.1, where a patch was introduced to address the problem. As a workaround, users are advised to avoid `WithUnsafeBuiltins` and instead use the `capabilities` feature, which provides a safer mechanism for controlling built-in function usage. No known exploits have been reported in the wild to date. The vulnerability is classified under CWE-693 (Protection Mechanism Failure) and CWE-20 (Improper Input Validation), indicating that the root cause lies in insufficient validation and enforcement of security controls within the policy compilation process.

For European organizations, the impact of this vulnerability depends largely on the extent to which OPA is integrated into their infrastructure and policy enforcement workflows. OPA is commonly used in cloud-native environments, Kubernetes admission control, API gateways, and microservices architectures, all of which are prevalent in modern enterprise IT environments across Europe. If exploited, this vulnerability could allow an attacker or a malicious insider to bypass policy restrictions by injecting or mocking unsafe built-in functions, potentially leading to unauthorized access, privilege escalation, or policy enforcement failures. This could compromise the confidentiality, integrity, and availability of critical systems and data. Given that OPA is often used to enforce security policies at runtime, a successful bypass could undermine trust in automated policy enforcement, leading to compliance violations and increased risk of data breaches. However, exploitation complexity is moderate due to the need for specific conditions and policy configurations, and no public exploits are known. Organizations in sectors with high regulatory requirements, such as finance, healthcare, and critical infrastructure, could face significant operational and reputational damage if this vulnerability is exploited.

To mitigate this vulnerability, European organizations should: 1) Immediately upgrade OPA installations to version 0.43.1 or later, where the vulnerability has been patched. 2) Review and refactor existing policies to remove usage of the deprecated `WithUnsafeBuiltins` function, replacing it with the recommended `capabilities` feature to control built-in function usage securely. 3) Conduct thorough audits of policy code to detect any use of the `with` keyword that could be exploited to mock unsafe built-ins. 4) Implement strict access controls and code review processes for policy changes to prevent introduction of unsafe constructs. 5) Monitor OPA logs and policy evaluation results for anomalies that could indicate attempts to exploit this vulnerability. 6) Integrate OPA policy enforcement with broader security monitoring and incident response workflows to quickly detect and respond to potential misuse. 7) Educate developers and DevOps teams on secure policy authoring practices and the risks associated with deprecated functions. These steps go beyond generic patching advice by emphasizing policy hygiene, secure coding practices, and operational monitoring tailored to OPA environments.