Bug 1843358 (CVE-2020-8558) - CVE-2020-8558 kubernetes: node localhost services reachable via martian packets
Summary: CVE-2020-8558 kubernetes: node localhost services reachable via martian packets
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-8558
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1860047 1860048 1860049 1860050 1860051 1860052 1845772 1845773 1845774 1845775 1845776 1845777 1845778 1845780 1845781 1849175 1857092
Blocks: 1843354
TreeView+ depends on / blocked
 
Reported: 2020-06-03 06:32 UTC by Sam Fowler
Modified: 2021-02-16 19:57 UTC (History)
26 users (show)

Fixed In Version: kubernetes 1.19.0, kubernetes 1.18.4, kubernetes 1.17.7, kubernetes 1.17.7
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Kubernetes that allows attackers on adjacent networks to reach services exposed on localhost ports, previously thought to be unreachable. This flaw allows an attacker to gain privileges or access confidential information for any services listening on localhost ports that are not protected by authentication.
Clone Of:
Environment:
Last Closed: 2020-07-13 19:27:36 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:2412 0 None None None 2020-07-13 17:23:24 UTC
Red Hat Product Errata RHSA-2020:2413 0 None None None 2020-07-13 16:45:01 UTC
Red Hat Product Errata RHSA-2020:2926 0 None None None 2020-07-21 10:43:00 UTC
Red Hat Product Errata RHSA-2020:2927 0 None None None 2020-07-21 09:55:51 UTC
Red Hat Product Errata RHSA-2020:2992 0 None None None 2020-07-27 18:49:40 UTC
Red Hat Product Errata RHSA-2020:3183 0 None None None 2020-08-05 10:12:32 UTC
Red Hat Product Errata RHSA-2020:3184 0 None None None 2020-08-05 10:26:48 UTC

Description Sam Fowler 2020-06-03 06:32:34 UTC 
Kubernetes' kube-proxy enables net.ipv4.conf.all.route_localnet by default on all nodes. This allows neighbouring hosts on the local network to reach ports on Kubernetes nodes that are only exposed on localhost.
Comment 2 Sam Fowler 2020-06-03 06:33:33 UTC 
Upstream Issue:

https://github.com/kubernetes/kubernetes/issues/90259
Comment 6 Sam Fowler 2020-06-17 05:37:29 UTC 
Upstream Fix:

https://github.com/kubernetes/kubernetes/pull/91569
Comment 7 Sam Fowler 2020-06-17 05:37:33 UTC 
Statement:

OpenShift Container Platform does not expose the API server on a localhost port without authentication. The only service exposed on a localhost port not protected by authentication is Metrics, which exposes some cluster metadata.
Comment 9 Sam Fowler 2020-07-08 22:04:05 UTC 
External References:

https://groups.google.com/g/kubernetes-security-announce/c/B1VegbBDMTE
Comment 11 Sam Fowler 2020-07-13 02:54:43 UTC 
Acknowledgments:

Name: the Kubernetes Product Security Committee
Upstream: János Kövér (Ericsson), Rory McCune (NCC Group), Yuval Avrahami (Palo Alto Networks), Ariel Zelivansky (Palo Alto Networks)
Comment 12 Sam Fowler 2020-07-13 03:00:26 UTC 
Upstream Issue:

https://github.com/kubernetes/kubernetes/issues/92315
Comment 13 errata-xmlrpc 2020-07-13 16:44:59 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.5

Via RHSA-2020:2413 https://access.redhat.com/errata/RHSA-2020:2413
Comment 14 errata-xmlrpc 2020-07-13 17:23:21 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.5

Via RHSA-2020:2412 https://access.redhat.com/errata/RHSA-2020:2412
Comment 15 Product Security DevOps Team 2020-07-13 19:27:36 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-8558
Comment 16 Sam Fowler 2020-07-15 06:36:40 UTC 
Created origin tracking bugs for this issue:

Affects: fedora-all [bug 1857092]
Comment 17 errata-xmlrpc 2020-07-21 09:55:47 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.4

Via RHSA-2020:2927 https://access.redhat.com/errata/RHSA-2020:2927
Comment 18 errata-xmlrpc 2020-07-21 10:42:56 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.4

Via RHSA-2020:2926 https://access.redhat.com/errata/RHSA-2020:2926
Comment 20 errata-xmlrpc 2020-07-27 18:49:37 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2020:2992 https://access.redhat.com/errata/RHSA-2020:2992
Comment 23 errata-xmlrpc 2020-08-05 10:12:29 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.3

Via RHSA-2020:3183 https://access.redhat.com/errata/RHSA-2020:3183
Comment 24 errata-xmlrpc 2020-08-05 10:26:45 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.3

Via RHSA-2020:3184 https://access.redhat.com/errata/RHSA-2020:3184
Note You need to log in before you can comment on or make changes to this bug.