-
Notifications
You must be signed in to change notification settings - Fork 39k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2021-25737: Holes in EndpointSlice Validation Enable Host Network Hijack #102106
Labels
official-cve-feed
Issues or PRs related to CVEs officially announced by Security Response Committee (SRC)
Comments
|
This was fixed by #101084 |
|
i was just about to link... thanks @cjcullen ! |
|
@PushkarJ hi, can you please label with offical-cve-feed |
|
/label official-cve-feed (Related to kubernetes/sig-security#1) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
official-cve-feed
Issues or PRs related to CVEs officially announced by Security Response Committee (SRC)
Issue Details
A security issue was discovered in Kubernetes where a user may be able to redirect pod traffic to private networks on a Node. Kubernetes already prevents creation of Endpoint IPs in the localhost or link-local range, but the same validation was not performed on EndpointSlice IPs.
This issue has been rated Low (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N), and assigned CVE-2021-25737.
Affected Component
kube-apiserver
Affected Versions
v1.21.0
v1.20.0 - v1.20.6
v1.19.0 - v1.19.10
v1.16.0 - v1.18.18 (Note: EndpointSlices were not enabled by default in 1.16-1.18)
Fixed Versions
This issue is fixed in the following versions:
v1.21.1
v1.20.7
v1.19.11
v1.18.19
Mitigation
To mitigate this vulnerability without upgrading kube-apiserver, you can create a validating admission webhook that prevents EndpointSlices with endpoint addresses in the 127.0.0.0/8 and 169.254.0.0/16 ranges. If you have an existing admission policy mechanism (like OPA Gatekeeper) you can create a policy that enforces this restriction.
Detection
To detect whether this vulnerability has been exploited, you can list EndpointSlices and check for endpoint addresses in the 127.0.0.0/8 and 169.254.0.0/16 ranges.
If you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io
Acknowledgements
This vulnerability was reported by John Howard of Google.
The text was updated successfully, but these errors were encountered: