Bug 1954917 (CVE-2021-25737) - CVE-2021-25737 kubernetes: Holes in EndpointSlice Validation Enable Host Network Hijack
Summary: CVE-2021-25737 kubernetes: Holes in EndpointSlice Validation Enable Host Netw...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-25737
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1959864 1954978 1954979 1962296
Blocks: 1954918
TreeView+ depends on / blocked
 
Reported: 2021-04-29 04:37 UTC by Sam Fowler
Modified: 2021-11-14 23:43 UTC (History)
20 users (show)

Fixed In Version: kubernetes 1.21.1, kubernetes 1.20.7, kubernetes 1.19.11, kubernetes 1.18.19
Doc Type: If docs needed, set a value
Doc Text:
A security issue was discovered in Kubernetes where an authorized user may be able to redirect traffic to private networks on a Node. An untrusted user could exploit this by creating or modifying EndpointSlices to point to localhost or link-local addresses.
Clone Of:
Environment:
Last Closed: 2021-07-28 01:07:34 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:2437 0 None None None 2021-07-27 22:07:36 UTC

Description Sam Fowler 2021-04-29 04:37:32 UTC 
A security issue was discovered in Kubernetes where an authorized user may be able to redirect traffic to private networks on a Node. Kubernetes clusters are only affected if an untrusted user can create or modify EndpointSlices. Kubernetes already prevents creation of Endpoint IPs in the localhost or link-local range, but the same validation was not performed on EndpointSlice IPs.
Comment 1 Sam Fowler 2021-04-29 04:37:35 UTC 
Acknowledgments:

Name: the Kubernetes Product Security Committee
Upstream: John Howard (Google)
Comment 5 Sam Fowler 2021-05-06 04:56:15 UTC 
Upstream fix:

https://github.com/kubernetes/kubernetes/pull/101084
Comment 7 Sam Fowler 2021-05-10 05:40:19 UTC 
Statement:

OpenShift Container Platform (OCP) 3.11 is not affected by this vulnerability as it does not support EndpointSlices. All current versions of OCP 4 support EndpointSlices and are therefore affected.
Comment 8 Sam Fowler 2021-05-10 05:40:22 UTC 
Mitigation:

* Prevent untrusted users from creating or modifying EndpointSlices
* Creating a validating admission webhook that prevents EndpointSlices with endpoint addresses in the 127.0.0.0/8 and 169.254.0.0/16 ranges
Comment 11 Michael Kaplan 2021-05-19 17:16:46 UTC 
Created origin tracking bugs for this issue:

Affects: fedora-all [bug 1962296]
Comment 12 errata-xmlrpc 2021-07-27 22:07:34 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2021:2437 https://access.redhat.com/errata/RHSA-2021:2437
Comment 13 Product Security DevOps Team 2021-07-28 01:07:34 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-25737
Comment 14 Richard Theis 2021-08-21 10:57:38 UTC 
Where can we find the status for the OpenShift version 4.7 and earlier releases with respect to this CVE?
Comment 15 Sam Fowler 2021-08-23 00:14:06 UTC 
(In reply to Richard Theis from comment #14)
> Where can we find the status for the OpenShift version 4.7 and earlier
> releases with respect to this CVE?

OpenShift 4.8.2 is the first released version of OpenShift 4 that has been fixed. Earlier released versions of OpenShift 4 are affected.
Note You need to log in before you can comment on or make changes to this bug.