CVE-2021-25737 - log back

CVE-2021-25737 edited at 09 Jun 2021 08:53:59
Description
- A security issue was discovered in kube-apiserver before version 1.21.1 where a user may be able to redirect pod traffic to private networks on a Node. Kubernetes already prevents creation of Endpoint IPs in the localhost or link-local range, but the same validation was not performed on EndpointSlice IPs.
+ A security issue was discovered in kube-apiserver before version 1.21.1 where a user may be able to redirect pod traffic to private networks on a node. Kubernetes already prevents creation of Endpoint IPs in the localhost or link-local range, but the same validation was not performed on EndpointSlice IPs.
CVE-2021-25737 edited at 19 May 2021 09:21:01
Severity
- Unknown
+ Low
Remote
- Unknown
+ Remote
Type
- Unknown
+ Insufficient validation
Description
+ A security issue was discovered in kube-apiserver before version 1.21.1 where a user may be able to redirect pod traffic to private networks on a Node. Kubernetes already prevents creation of Endpoint IPs in the localhost or link-local range, but the same validation was not performed on EndpointSlice IPs.
References
+ https://github.com/kubernetes/kubernetes/issues/102106
+ https://github.com/kubernetes/kubernetes/pull/101084
+ https://github.com/kubernetes/kubernetes/commit/233c8d6eeef9e7a259c39dd1db096479044820ae
Notes
+ Workaround
+ ==========
+
+ To mitigate this vulnerability without upgrading kube-apiserver, you can create a validating admission webhook that prevents EndpointSlices with endpoint addresses in the 127.0.0.0/8 and 169.254.0.0/16 ranges. If you have an existing admission policy mechanism (like OPA Gatekeeper) you can create a policy that enforces this restriction.
CVE-2021-25737 created at 19 May 2021 09:17:23