Bug 1954917 (CVE-2021-25737)

Summary: CVE-2021-25737 kubernetes: Holes in EndpointSlice Validation Enable Host Network Hijack
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: admiller, anbhat, aos-bugs, bbennett, bmontgom, eparis, jburrell, jcajka, joelsmith, jokerman, lhinds, mfojtik, nstielau, pducai, rtheis, security-response-team, sfowler, sponnaga, sttts, xxia
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kubernetes 1.21.1, kubernetes 1.20.7, kubernetes 1.19.11, kubernetes 1.18.19 Doc Type: If docs needed, set a value
Doc Text:
A security issue was discovered in Kubernetes where an authorized user may be able to redirect traffic to private networks on a Node. An untrusted user could exploit this by creating or modifying EndpointSlices to point to localhost or link-local addresses.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-07-28 01:07:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1959864, 1954978, 1954979, 1962296    
Bug Blocks: 1954918    

Description Sam Fowler 2021-04-29 04:37:32 UTC 
A security issue was discovered in Kubernetes where an authorized user may be able to redirect traffic to private networks on a Node. Kubernetes clusters are only affected if an untrusted user can create or modify EndpointSlices. Kubernetes already prevents creation of Endpoint IPs in the localhost or link-local range, but the same validation was not performed on EndpointSlice IPs.
Comment 1 Sam Fowler 2021-04-29 04:37:35 UTC 
Acknowledgments:

Name: the Kubernetes Product Security Committee
Upstream: John Howard (Google)
Comment 5 Sam Fowler 2021-05-06 04:56:15 UTC 
Upstream fix:

https://github.com/kubernetes/kubernetes/pull/101084
Comment 7 Sam Fowler 2021-05-10 05:40:19 UTC 
Statement:

OpenShift Container Platform (OCP) 3.11 is not affected by this vulnerability as it does not support EndpointSlices. All current versions of OCP 4 support EndpointSlices and are therefore affected.
Comment 8 Sam Fowler 2021-05-10 05:40:22 UTC 
Mitigation:

* Prevent untrusted users from creating or modifying EndpointSlices
* Creating a validating admission webhook that prevents EndpointSlices with endpoint addresses in the 127.0.0.0/8 and 169.254.0.0/16 ranges
Comment 11 Michael Kaplan 2021-05-19 17:16:46 UTC 
Created origin tracking bugs for this issue:

Affects: fedora-all [bug 1962296]
Comment 12 errata-xmlrpc 2021-07-27 22:07:34 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2021:2437 https://access.redhat.com/errata/RHSA-2021:2437
Comment 13 Product Security DevOps Team 2021-07-28 01:07:34 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-25737
Comment 14 Richard Theis 2021-08-21 10:57:38 UTC 
Where can we find the status for the OpenShift version 4.7 and earlier releases with respect to this CVE?
Comment 15 Sam Fowler 2021-08-23 00:14:06 UTC 
(In reply to Richard Theis from comment #14)
> Where can we find the status for the OpenShift version 4.7 and earlier
> releases with respect to this CVE?

OpenShift 4.8.2 is the first released version of OpenShift 4 that has been fixed. Earlier released versions of OpenShift 4 are affected.