Bug 1131057 - (CVE-2019-9946) VUL-0: CVE-2019-9946: kubernetes: kubernetes: Incorrect rule injection in CNI portmap plugin
(CVE-2019-9946)
VUL-0: CVE-2019-9946: kubernetes: kubernetes: Incorrect rule injection in CNI...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/228424/
CVSSv3:SUSE:CVE-2019-9946:6.5:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-03-30 06:10 UTC by Marcus Meissner
Modified: 2022-04-14 07:19 UTC (History)
10 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2019-03-30 06:10:37 UTC
rh#1692712


It was found that the 'portmap' plugin, used to setup HostPorts for CNI, would insert rules at the front of the iptables nat chains; which would take precedence over the KUBE- SERVICES chain. Because of this, the HostPort/portmap rule could match incoming traffic even if there were better fitting, more specific service definition rules like NodePorts later in the chain.

Upstream issue:

https://github.com/containernetworking/plugins/pull/269

Upstream patch:

https://github.com/containernetworking/plugins/pull/269/commits/f8fcb3525fc5c4a2bdc1a791b5c7b46a29ef4f04

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1692712
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-9946
Comment 1 Marcus Meissner 2019-03-30 06:10:53 UTC
do we use this plugin?
Comment 3 Maximilian Meister 2019-05-20 11:20:58 UTC
Due to this and another CVE being more difficult to backport, we decided to update k8s, here's the SR for devel: https://build.suse.de/request/show/192971
Comment 4 Jordi Massaguer 2019-05-21 10:16:46 UTC
Klaus,

I told Max to go ahead packaging k8s 1.11 for v3 because it seemed the simplest solution. However, I realized this could be an issue if a customer has k8s 1.9.

Can you give us your feedback here?
Comment 5 Klaus Kämpf 2019-07-08 06:56:27 UTC
Would we really want (need?) to ship a major k8s upgrade for v3 at this point ?

@rafa - would this help the v3->v4 upgrade story ?
Comment 6 Roger Klorese 2019-07-08 17:39:31 UTC
I stopped this because of the 1.9 broken upgrade potential. Let me quickly ask the field about this. 

Against: of course, the potential of 1.9->1.11 breakage for anyone who has not updated.

For: easiest way to get the fix out there.

(When I am in NUE, we will need to separately discuss an escalation regarding the upgrade path.)
Comment 7 Wolfgang Frisch 2019-11-07 14:18:51 UTC
Is there any news regarding this CVE?

Request 192971, superseded by Request 193324, was supposed to fix the issue, but it is stuck in the "new" state.
Comment 8 Gabriele Sonnu 2022-04-14 07:19:42 UTC
Done.