ASA-2019-00162 – Kubernetes: Security issue allows traffic to be processed by HostPort/portmap rather than by KUBE-SERVICES

Allele Security Alert



ASA-2019-00162, CVE-2019-9946


Security issue allows traffic to be processed by HostPort/portmap rather than by KUBE-SERVICES


Cloud Native Computing Foundation



Affected version(s)

Kubernetes versions prior to 1.11.9
Kubernetes versions prior to 1.12.7
Kubernetes versions prior to 1.13.5
Kubernetes versions prior to 1.14.0

Fixed version(s)

Kubernetes version 1.11.9
Kubernetes version 1.12.7
Kubernetes version 1.13.5
Kubernetes version 1.14.0

Proof of concept



A security issue was discovered with interactions between the CNI (Container Networking Interface) portmap plugin versions prior to 0.7.5 and Kubernetes. The CNI portmap plugin is embedded into Kubernetes releases so new releases of Kubernetes are required to fix this issue.

Technical details

Before this fix the ‘portmap’ plugin, used to setup HostPorts for CNI, would insert rules at the front of the iptables nat chains; which would take precedence over the KUBE- SERVICES chain. Because of this, the HostPort/portmap rule could match incoming traffic even if there were better fitting, more specific service definition rules like NodePorts later in the chain.

Switching the portmap plugin to append its rules, rather than prepend, allows traffic to be processed by KUBE-SERVICES rules first. Only if traffic does not match a service will it be considered for HostPorts. This is compatible with the behavior of the legacy ‘kubenet’ network driver.


Etienne Champetier (Anevia)


[ANNOUNCE] Security release of Kubernetes affecting certain network configurations with CNI – Releases 1.11.9, 1.12.7, 1.13.5, and 1.14.0 – CVE-2019-9946

build/gci: bump CNI version to 0.7.5 – CVE-2019-9946 #75455

Portmap: append, rather than prepend, entry rules – CVE-2019-9946 #269



If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: August 29, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.