Until the 4.6.6 version of OpenShift Container Platform changes to the router-default service to allow only certain IP source ranges was possible by directly editing the service object [1]. Since 4.6.6 changes to the loadBalancerSourceRanges field are overwritten to the default of all IP ranges. If a cluster is affected by this issue an attacker can use the flaw to access resources which should be restricted to the specified IP ranges. [1] https://access.redhat.com/solutions/5158751
Upstream commit: https://github.com/openshift/cluster-ingress-operator/pull/507
Mitigation: Move the allowed IP source ranges from the loadBalancerSourceRanges setting to "service.beta.kubernetes.io/load-balancer-source-ranges" annotation. For example: oc -n openshift-ingress annotate svc/router-default service.beta.kubernetes.io/load-balancer-source-ranges=10.0.0.0/8,192.168.0.0/16
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2020:5614 https://access.redhat.com/errata/RHSA-2020:5614
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-27836