Bug 1843358 (CVE-2020-8558)
| Summary: | CVE-2020-8558 kubernetes: node localhost services reachable via martian packets | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Sam Fowler <sfowler> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | admiller, aos-bugs, bmontgom, cdc, danw, decarr, eparis, hchiramm, hvyas, jburrell, jcajka, jmulligan, joelsmith, jokerman, madam, mfojtik, nstielau, puebele, rhs-bugs, schoudha, security-response-team, sfowler, sponnaga, storage-qa-internal, sttts, vbellur |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | kubernetes 1.19.0, kubernetes 1.18.4, kubernetes 1.17.7, kubernetes 1.17.7 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in Kubernetes that allows attackers on adjacent networks to reach services exposed on localhost ports, previously thought to be unreachable. This flaw allows an attacker to gain privileges or access confidential information for any services listening on localhost ports that are not protected by authentication.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-07-13 19:27:36 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1845772, 1845773, 1845774, 1845775, 1845776, 1845777, 1845778, 1845780, 1845781, 1849175, 1857092, 1860047, 1860048, 1860049, 1860050, 1860051, 1860052 | ||
| Bug Blocks: | 1843354 | ||
|
Description
Sam Fowler
2020-06-03 06:32:34 UTC
Upstream Issue: https://github.com/kubernetes/kubernetes/issues/90259 Upstream Fix: https://github.com/kubernetes/kubernetes/pull/91569 Statement: OpenShift Container Platform does not expose the API server on a localhost port without authentication. The only service exposed on a localhost port not protected by authentication is Metrics, which exposes some cluster metadata. External References: https://groups.google.com/g/kubernetes-security-announce/c/B1VegbBDMTE Acknowledgments: Name: the Kubernetes Product Security Committee Upstream: János Kövér (Ericsson), Rory McCune (NCC Group), Yuval Avrahami (Palo Alto Networks), Ariel Zelivansky (Palo Alto Networks) Upstream Issue: https://github.com/kubernetes/kubernetes/issues/92315 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.5 Via RHSA-2020:2413 https://access.redhat.com/errata/RHSA-2020:2413 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.5 Via RHSA-2020:2412 https://access.redhat.com/errata/RHSA-2020:2412 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-8558 Created origin tracking bugs for this issue: Affects: fedora-all [bug 1857092] This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.4 Via RHSA-2020:2927 https://access.redhat.com/errata/RHSA-2020:2927 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.4 Via RHSA-2020:2926 https://access.redhat.com/errata/RHSA-2020:2926 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2020:2992 https://access.redhat.com/errata/RHSA-2020:2992 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.3 Via RHSA-2020:3183 https://access.redhat.com/errata/RHSA-2020:3183 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.3 Via RHSA-2020:3184 https://access.redhat.com/errata/RHSA-2020:3184 |