CVE-2021-25737 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Low
Remote	Yes
Type	Insufficient validation
Description	A security issue was discovered in kube-apiserver before version 1.21.1 where a user may be able to redirect pod traffic to private networks on a node. Kubernetes already prevents creation of Endpoint IPs in the localhost or link-local range, but the same validation was not performed on EndpointSlice IPs.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-1970	kube-apiserver	1.21.0-1	1.21.1-1	Low	Fixed

Date	Advisory	Group	Package	Severity	Type
09 Jun 2021	ASA-202106-29	AVG-1970	kube-apiserver	Low	insufficient validation

References
https://github.com/kubernetes/kubernetes/issues/102106 https://github.com/kubernetes/kubernetes/pull/101084 https://github.com/kubernetes/kubernetes/commit/233c8d6eeef9e7a259c39dd1db096479044820ae

Notes
Workaround ========== To mitigate this vulnerability without upgrading kube-apiserver, you can create a validating admission webhook that prevents EndpointSlices with endpoint addresses in the 127.0.0.0/8 and 169.254.0.0/16 ranges. If you have an existing admission policy mechanism (like OPA Gatekeeper) you can create a policy that enforces this restriction.

Notes

Workaround
==========

To mitigate this vulnerability without upgrading kube-apiserver, you can create a validating admission webhook that prevents EndpointSlices with endpoint addresses in the 127.0.0.0/8 and 169.254.0.0/16 ranges. If you have an existing admission policy mechanism (like OPA Gatekeeper) you can create a policy that enforces this restriction.