ArchLinux: 202106-29: kube-apiserver: insufficient validation | Lin...

Advisories

Arch Linux Security Advisory ASA-202106-29
==========================================

Severity: Low
Date    : 2021-06-09
CVE-ID  : CVE-2021-25737
Package : kube-apiserver
Type    : insufficient validation
Remote  : Yes
Link    : https://security.archlinux.org/AVG-1970

Summary
=======

The package kube-apiserver before version 1.21.1-1 is vulnerable to
insufficient validation.

Resolution
==========

Upgrade to 1.21.1-1.

# pacman -Syu "kube-apiserver>=1.21.1-1"

The problem has been fixed upstream in version 1.21.1.

Workaround
==========

To mitigate this vulnerability without upgrading kube-apiserver, you
can create a validating admission webhook that prevents EndpointSlices
with endpoint addresses in the 127.0.0.0/8 and 169.254.0.0/16 ranges.
If you have an existing admission policy mechanism (like OPA
Gatekeeper) you can create a policy that enforces this restriction.

Description
===========

A security issue was discovered in kube-apiserver before version 1.21.1
where a user may be able to redirect pod traffic to private networks on
a node. Kubernetes already prevents creation of Endpoint IPs in the
localhost or link-local range, but the same validation was not
performed on EndpointSlice IPs.

Impact
======

A user could redirect pod traffic to private networks on a node.

References
==========

https://github.com/kubernetes/kubernetes/issues/102106
https://github.com/kubernetes/kubernetes/pull/101084
https://github.com/kubernetes/kubernetes/commit/233c8d6eeef9e7a259c39dd1db096479044820ae
https://security.archlinux.org/CVE-2021-25737

ArchLinux: 202106-29: kube-apiserver: insufficient validation

June 11, 2021
The package kube-apiserver before version 1.21.1-1 is vulnerable to insufficient validation

Summary

A security issue was discovered in kube-apiserver before version 1.21.1 where a user may be able to redirect pod traffic to private networks on a node. Kubernetes already prevents creation of Endpoint IPs in the localhost or link-local range, but the same validation was not performed on EndpointSlice IPs.

Resolution

Upgrade to 1.21.1-1.
# pacman -Syu "kube-apiserver>=1.21.1-1"
The problem has been fixed upstream in version 1.21.1.

References

https://github.com/kubernetes/kubernetes/issues/102106 https://github.com/kubernetes/kubernetes/pull/101084 https://github.com/kubernetes/kubernetes/commit/233c8d6eeef9e7a259c39dd1db096479044820ae https://security.archlinux.org/CVE-2021-25737

Severity
CVE-ID : CVE-2021-25737
Package : kube-apiserver
Type : insufficient validation
Remote : Yes
Link : https://security.archlinux.org/AVG-1970

Impact

A user could redirect pod traffic to private networks on a node.

Workaround

To mitigate this vulnerability without upgrading kube-apiserver, youcan create a validating admission webhook that prevents EndpointSliceswith endpoint addresses in the 127.0.0.0/8 and 169.254.0.0/16 ranges.If you have an existing admission policy mechanism (like OPAGatekeeper) you can create a policy that enforces this restriction.

Related News

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.