Kubernetes' kube-proxy enables net.ipv4.conf.all.route_localnet by default on all nodes. This allows neighbouring hosts on the local network to reach ports on Kubernetes nodes that are only exposed on localhost.
Upstream Issue: https://github.com/kubernetes/kubernetes/issues/90259
Upstream Fix: https://github.com/kubernetes/kubernetes/pull/91569
Statement: OpenShift Container Platform does not expose the API server on a localhost port without authentication. The only service exposed on a localhost port not protected by authentication is Metrics, which exposes some cluster metadata.
External References: https://groups.google.com/g/kubernetes-security-announce/c/B1VegbBDMTE
Acknowledgments: Name: the Kubernetes Product Security Committee Upstream: János Kövér (Ericsson), Rory McCune (NCC Group), Yuval Avrahami (Palo Alto Networks), Ariel Zelivansky (Palo Alto Networks)
Upstream Issue: https://github.com/kubernetes/kubernetes/issues/92315
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.5 Via RHSA-2020:2413 https://access.redhat.com/errata/RHSA-2020:2413
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.5 Via RHSA-2020:2412 https://access.redhat.com/errata/RHSA-2020:2412
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-8558
Created origin tracking bugs for this issue: Affects: fedora-all [bug 1857092]
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.4 Via RHSA-2020:2927 https://access.redhat.com/errata/RHSA-2020:2927
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.4 Via RHSA-2020:2926 https://access.redhat.com/errata/RHSA-2020:2926
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2020:2992 https://access.redhat.com/errata/RHSA-2020:2992
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.3 Via RHSA-2020:3183 https://access.redhat.com/errata/RHSA-2020:3183
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.3 Via RHSA-2020:3184 https://access.redhat.com/errata/RHSA-2020:3184