If an attacker is able to intercept certain requests to the Kubelet, they can send a redirect response that may be followed by a client using the credentials from the original request. This can lead to compromise of other nodes.
Statement: Kubernetes is embedded in the version of heketi shipped with Red Hat Gluster Storage 3. However, it does not use Kubernetes API server part and only uses client side bits. Hence, this flaw does not affect heketi.
Acknowledgments: Name: the Kubernetes Product Security Committee Upstream: Wouter ter Maat (Offensi)
Upstream Issue: https://github.com/kubernetes/kubernetes/issues/92914
Upstream Patch: https://github.com/kubernetes/kubernetes/pull/92941
Mitigation: No mitigation is known.
External References: https://groups.google.com/g/kubernetes-security-announce/c/JAIGG5yNROs
Created origin tracking bugs for this issue: Affects: fedora-all [bug 1857458]
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.5 Via RHSA-2020:5194 https://access.redhat.com/errata/RHSA-2020:5194
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-8559
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2020:5363 https://access.redhat.com/errata/RHSA-2020:5363
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.4 Via RHSA-2021:0030 https://access.redhat.com/errata/RHSA-2021:0030
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.4 Via RHSA-2021:0281 https://access.redhat.com/errata/RHSA-2021:0281