Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
build/gci: bump CNI version to 0.7.5 - CVE-2019-9946 #75455
Update from Brandon @philips of the Kubernetes Security Commitee:
A security issue was discovered with interactions between the CNI (Container Networking Interface) portmap plugin versions prior to 0.7.5 and Kubernetes. The CNI portmap plugin is embedded into Kubernetes releases so new releases of Kubernetes are required to fix this issue. The issue is Medium and upgrading to Kubernetes 1.11.9, 1.12.7, 1.13.5, and 1.14.0 is encouraged to fix this issue if this plugin is used in your environment.
Am I vulnerable?
As this affects a Kubernetes plugin interface it is difficult to say with certainty without a complete understanding of your Kubernetes configuration. The issue was identified in a configuration of kube-proxy in IPVS mode along with a pod using a HostPort. However, other network configurations may use the CNI portmap plugin as well.
How do I upgrade?
Follow your management tool or vendor instructions to upgrade to the latest release of Kubernetes.
Before this fix the 'portmap' plugin, used to setup HostPorts for CNI, would insert rules at the front of the iptables nat chains; which would take precedence over the KUBE- SERVICES chain. Because of this, the HostPort/portmap rule could match incoming traffic even if there were better fitting, more specific service definition rules like NodePorts later in the chain.
Switching the portmap plugin to append its rules, rather than prepend, allows traffic to be processed by KUBE-SERVICES rules first. Only if traffic does not match a service will it be considered for HostPorts. This is compatible with the behavior of the legacy ‘kubenet’ network driver.
Thank you to Etienne Champetier of Anevia for identifying the issue, Tim Hockin, Dan Williams, Casey Callendrello, Dujun, Tim Pepper, and the patch release managers for the coordination is making this release.
Mar 18, 2019
[APPROVALNOTIFIER] This PR is APPROVED
The full list of commands accepted by this bot can be found here.
The pull request process is described here
Mar 18, 2019
16 of 17 checks passed
@dcbw: The following test failed, say