Description
Cloud Native Computing Foundation (CNCF) CNI (Container Networking Interface) 0.7.4 has a network firewall misconfiguration which affects Kubernetes. The CNI 'portmap' plugin, used to setup HostPorts for CNI, inserts rules at the front of the iptables nat chains; which take precedence over the KUBE- SERVICES chain. Because of this, the HostPort/portmap rule could match incoming traffic even if there were better fitting, more specific service definition rules like NodePorts later in the chain. The issue is fixed in CNI 0.7.5 and Kubernetes 1.11.9, 1.12.7, 1.13.5, and 1.14.0.
References (5)
Core 5
Core References
Patch, Third Party Advisory x_refsource_confirm
https://github.com/containernetworking/plugins/pull/269#issuecomment-477683272
Patch, Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20190416-0002/
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHBA-2019:0862
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FCN66VYB3XS76SYH567SO7N3I254JOCT/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGOOWAELGH3F7OXRBPH3HCNZELNLXYTW/
Scores
CVSS v3
7.5
EPSS
0.0312
EPSS Percentile
86.1%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-670
Status
published
Products (5)
cncf/portmap
< 0.7.5
kubernetes/kubernetes
1.13.6 beta0
kubernetes/kubernetes
1.14.0 alpha0 (8 CPE variants)
kubernetes/kubernetes
< 1.11.9
netapp/cloud_insights
Published
Apr 02, 2019
Tracked Since
Feb 18, 2026