Bug 1843358 (CVE-2020-8558)

Summary: CVE-2020-8558 kubernetes: node localhost services reachable via martian packets
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: admiller, aos-bugs, bmontgom, cdc, danw, decarr, eparis, hchiramm, hvyas, jburrell, jcajka, jmulligan, joelsmith, jokerman, madam, mfojtik, nstielau, puebele, rhs-bugs, schoudha, security-response-team, sfowler, sponnaga, storage-qa-internal, sttts, vbellur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kubernetes 1.19.0, kubernetes 1.18.4, kubernetes 1.17.7, kubernetes 1.17.7 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Kubernetes that allows attackers on adjacent networks to reach services exposed on localhost ports, previously thought to be unreachable. This flaw allows an attacker to gain privileges or access confidential information for any services listening on localhost ports that are not protected by authentication.
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-13 19:27:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1857092, 1860047, 1860048, 1860049, 1860050, 1860051, 1860052, 1845772, 1845773, 1845774, 1845775, 1845776, 1845777, 1845778, 1845780, 1845781, 1849175    
Bug Blocks: 1843354    

Description Sam Fowler 2020-06-03 06:32:34 UTC
Kubernetes' kube-proxy enables net.ipv4.conf.all.route_localnet by default on all nodes. This allows neighbouring hosts on the local network to reach ports on Kubernetes nodes that are only exposed on localhost.

Comment 2 Sam Fowler 2020-06-03 06:33:33 UTC
Upstream Issue:

https://github.com/kubernetes/kubernetes/issues/90259

Comment 6 Sam Fowler 2020-06-17 05:37:29 UTC
Upstream Fix:

https://github.com/kubernetes/kubernetes/pull/91569

Comment 7 Sam Fowler 2020-06-17 05:37:33 UTC
Statement:

OpenShift Container Platform does not expose the API server on a localhost port without authentication. The only service exposed on a localhost port not protected by authentication is Metrics, which exposes some cluster metadata.

Comment 9 Sam Fowler 2020-07-08 22:04:05 UTC
External References:

https://groups.google.com/g/kubernetes-security-announce/c/B1VegbBDMTE

Comment 11 Sam Fowler 2020-07-13 02:54:43 UTC
Acknowledgments:

Name: the Kubernetes Product Security Committee
Upstream: János Kövér (Ericsson), Rory McCune (NCC Group), Yuval Avrahami (Palo Alto Networks), Ariel Zelivansky (Palo Alto Networks)

Comment 12 Sam Fowler 2020-07-13 03:00:26 UTC
Upstream Issue:

https://github.com/kubernetes/kubernetes/issues/92315

Comment 13 errata-xmlrpc 2020-07-13 16:44:59 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.5

Via RHSA-2020:2413 https://access.redhat.com/errata/RHSA-2020:2413

Comment 14 errata-xmlrpc 2020-07-13 17:23:21 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.5

Via RHSA-2020:2412 https://access.redhat.com/errata/RHSA-2020:2412

Comment 15 Product Security DevOps Team 2020-07-13 19:27:36 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-8558

Comment 16 Sam Fowler 2020-07-15 06:36:40 UTC
Created origin tracking bugs for this issue:

Affects: fedora-all [bug 1857092]

Comment 17 errata-xmlrpc 2020-07-21 09:55:47 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.4

Via RHSA-2020:2927 https://access.redhat.com/errata/RHSA-2020:2927

Comment 18 errata-xmlrpc 2020-07-21 10:42:56 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.4

Via RHSA-2020:2926 https://access.redhat.com/errata/RHSA-2020:2926

Comment 20 errata-xmlrpc 2020-07-27 18:49:37 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2020:2992 https://access.redhat.com/errata/RHSA-2020:2992

Comment 23 errata-xmlrpc 2020-08-05 10:12:29 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.3

Via RHSA-2020:3183 https://access.redhat.com/errata/RHSA-2020:3183

Comment 24 errata-xmlrpc 2020-08-05 10:26:45 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.3

Via RHSA-2020:3184 https://access.redhat.com/errata/RHSA-2020:3184