Bugzilla – Bug 1131057
VUL-0: CVE-2019-9946: kubernetes: kubernetes: Incorrect rule injection in CNI portmap plugin
Last modified: 2022-04-14 07:19:42 UTC
It was found that the 'portmap' plugin, used to setup HostPorts for CNI, would insert rules at the front of the iptables nat chains; which would take precedence over the KUBE- SERVICES chain. Because of this, the HostPort/portmap rule could match incoming traffic even if there were better fitting, more specific service definition rules like NodePorts later in the chain.
do we use this plugin?
Due to this and another CVE being more difficult to backport, we decided to update k8s, here's the SR for devel: https://build.suse.de/request/show/192971
I told Max to go ahead packaging k8s 1.11 for v3 because it seemed the simplest solution. However, I realized this could be an issue if a customer has k8s 1.9.
Can you give us your feedback here?
Would we really want (need?) to ship a major k8s upgrade for v3 at this point ?
@rafa - would this help the v3->v4 upgrade story ?
I stopped this because of the 1.9 broken upgrade potential. Let me quickly ask the field about this.
Against: of course, the potential of 1.9->1.11 breakage for anyone who has not updated.
For: easiest way to get the fix out there.
(When I am in NUE, we will need to separately discuss an escalation regarding the upgrade path.)
Is there any news regarding this CVE?
Request 192971, superseded by Request 193324, was supposed to fix the issue, but it is stuck in the "new" state.