Arch Linux Security Advisory ASA-202106-29

Severity: Low
Date    : 2021-06-09
CVE-ID  : CVE-2021-25737
Package : kube-apiserver
Type    : insufficient validation
Remote  : Yes
Link    :


The package kube-apiserver before version 1.21.1-1 is vulnerable to
insufficient validation.


Upgrade to 1.21.1-1.

# pacman -Syu "kube-apiserver>=1.21.1-1"

The problem has been fixed upstream in version 1.21.1.


To mitigate this vulnerability without upgrading kube-apiserver, you
can create a validating admission webhook that prevents EndpointSlices
with endpoint addresses in the and ranges.
If you have an existing admission policy mechanism (like OPA
Gatekeeper) you can create a policy that enforces this restriction.


A security issue was discovered in kube-apiserver before version 1.21.1
where a user may be able to redirect pod traffic to private networks on
a node. Kubernetes already prevents creation of Endpoint IPs in the
localhost or link-local range, but the same validation was not
performed on EndpointSlice IPs.


A user could redirect pod traffic to private networks on a node.