Bug 1131057 - (CVE-2019-9946) VUL-0: CVE-2019-9946: kubernetes: kubernetes: Incorrect rule injection in CNI portmap plugin
VUL-0: CVE-2019-9946: kubernetes: kubernetes: Incorrect rule injection in CNI...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2019-03-30 06:10 UTC by Marcus Meissner
Modified: 2022-04-14 07:19 UTC (History)
10 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2019-03-30 06:10:37 UTC

It was found that the 'portmap' plugin, used to setup HostPorts for CNI, would insert rules at the front of the iptables nat chains; which would take precedence over the KUBE- SERVICES chain. Because of this, the HostPort/portmap rule could match incoming traffic even if there were better fitting, more specific service definition rules like NodePorts later in the chain.

Upstream issue:


Upstream patch:


Comment 1 Marcus Meissner 2019-03-30 06:10:53 UTC
do we use this plugin?
Comment 3 Maximilian Meister 2019-05-20 11:20:58 UTC
Due to this and another CVE being more difficult to backport, we decided to update k8s, here's the SR for devel: https://build.suse.de/request/show/192971
Comment 4 Jordi Massaguer 2019-05-21 10:16:46 UTC

I told Max to go ahead packaging k8s 1.11 for v3 because it seemed the simplest solution. However, I realized this could be an issue if a customer has k8s 1.9.

Can you give us your feedback here?
Comment 5 Klaus Kämpf 2019-07-08 06:56:27 UTC
Would we really want (need?) to ship a major k8s upgrade for v3 at this point ?

@rafa - would this help the v3->v4 upgrade story ?
Comment 6 Roger Klorese 2019-07-08 17:39:31 UTC
I stopped this because of the 1.9 broken upgrade potential. Let me quickly ask the field about this. 

Against: of course, the potential of 1.9->1.11 breakage for anyone who has not updated.

For: easiest way to get the fix out there.

(When I am in NUE, we will need to separately discuss an escalation regarding the upgrade path.)
Comment 7 Wolfgang Frisch 2019-11-07 14:18:51 UTC
Is there any news regarding this CVE?

Request 192971, superseded by Request 193324, was supposed to fix the issue, but it is stuck in the "new" state.
Comment 8 Gabriele Sonnu 2022-04-14 07:19:42 UTC