A security issue was discovered in Kubernetes where an authorized user may be able to redirect traffic to private networks on a Node. Kubernetes clusters are only affected if an untrusted user can create or modify EndpointSlices. Kubernetes already prevents creation of Endpoint IPs in the localhost or link-local range, but the same validation was not performed on EndpointSlice IPs.
Acknowledgments: Name: the Kubernetes Product Security Committee Upstream: John Howard (Google)
Upstream fix: https://github.com/kubernetes/kubernetes/pull/101084
Statement: OpenShift Container Platform (OCP) 3.11 is not affected by this vulnerability as it does not support EndpointSlices. All current versions of OCP 4 support EndpointSlices and are therefore affected.
Mitigation: * Prevent untrusted users from creating or modifying EndpointSlices * Creating a validating admission webhook that prevents EndpointSlices with endpoint addresses in the 127.0.0.0/8 and 169.254.0.0/16 ranges
Created origin tracking bugs for this issue: Affects: fedora-all [bug 1962296]
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.8 Via RHSA-2021:2437 https://access.redhat.com/errata/RHSA-2021:2437
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-25737
Where can we find the status for the OpenShift version 4.7 and earlier releases with respect to this CVE?
(In reply to Richard Theis from comment #14) > Where can we find the status for the OpenShift version 4.7 and earlier > releases with respect to this CVE? OpenShift 4.8.2 is the first released version of OpenShift 4 that has been fixed. Earlier released versions of OpenShift 4 are affected.