In Windows kube-proxy component when a service of type “LoadBalancer” is created, packets can be misrouted and reach an unintended destination. This issue can be only observed on any cloud environment that does not set the “.status.loadBalancer.ingress.ip” field in the LoadBalancer service status configuration. For one example, Kubernetes environments integrating with AWS cloud load balancers are impacted as they currently set “.status.loadBalancer.ingress.hostname” instead. This could leading to potential MITM attack.
Acknowledgments: Name: Eric Paris (Red Hat), Christian Hernandez (Red Hat)
External References: https://groups.google.com/g/kubernetes-security-announce/c/lIoOPObO51Q
Statement: Clusters where the LoadBalancer controller sets the “status.loadBalancer.ingress[].ip” field are unaffected.
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2021:2130 https://access.redhat.com/errata/RHSA-2021:2130
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-25736