Allele Security Alert
Security issue allows traffic to be processed by HostPort/portmap rather than by KUBE-SERVICES
Cloud Native Computing Foundation
Kubernetes versions prior to 1.11.9
Kubernetes versions prior to 1.12.7
Kubernetes versions prior to 1.13.5
Kubernetes versions prior to 1.14.0
Kubernetes version 1.11.9
Kubernetes version 1.12.7
Kubernetes version 1.13.5
Kubernetes version 1.14.0
Proof of concept
A security issue was discovered with interactions between the CNI (Container Networking Interface) portmap plugin versions prior to 0.7.5 and Kubernetes. The CNI portmap plugin is embedded into Kubernetes releases so new releases of Kubernetes are required to fix this issue.
Before this fix the ‘portmap’ plugin, used to setup HostPorts for CNI, would insert rules at the front of the iptables nat chains; which would take precedence over the KUBE- SERVICES chain. Because of this, the HostPort/portmap rule could match incoming traffic even if there were better fitting, more specific service definition rules like NodePorts later in the chain.
Switching the portmap plugin to append its rules, rather than prepend, allows traffic to be processed by KUBE-SERVICES rules first. Only if traffic does not match a service will it be considered for HostPorts. This is compatible with the behavior of the legacy ‘kubenet’ network driver.
Etienne Champetier (Anevia)
[ANNOUNCE] Security release of Kubernetes affecting certain network configurations with CNI – Releases 1.11.9, 1.12.7, 1.13.5, and 1.14.0 – CVE-2019-9946
build/gci: bump CNI version to 0.7.5 – CVE-2019-9946 #75455
Portmap: append, rather than prepend, entry rules – CVE-2019-9946 #269
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: August 29, 2019