CVE-2019-9946

Source
https://nvd.nist.gov/vuln/detail/CVE-2019-9946
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-9946.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2019-9946
Related
Published
2019-04-02T18:30:26Z
Modified
2024-12-10T16:48:37.223695Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

Cloud Native Computing Foundation (CNCF) CNI (Container Networking Interface) 0.7.4 has a network firewall misconfiguration which affects Kubernetes. The CNI 'portmap' plugin, used to setup HostPorts for CNI, inserts rules at the front of the iptables nat chains; which take precedence over the KUBE- SERVICES chain. Because of this, the HostPort/portmap rule could match incoming traffic even if there were better fitting, more specific service definition rules like NodePorts later in the chain. The issue is fixed in CNI 0.7.5 and Kubernetes 1.11.9, 1.12.7, 1.13.5, and 1.14.0.

References

Affected packages

Debian:11 / kubernetes

Package

Name
kubernetes
Purl
pkg:deb/debian/kubernetes?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.17.4-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / kubernetes

Package

Name
kubernetes
Purl
pkg:deb/debian/kubernetes?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.17.4-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/containernetworking/plugins

Affected ranges

Type
GIT
Repo
https://github.com/containernetworking/plugins
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Type
GIT
Repo
https://github.com/kubernetes/kubelet
Events

Affected versions

v0.*

v0.1.0
v0.2.0-rc0
v0.3.0
v0.3.0-rc0
v0.3.0-rc1
v0.3.0-rc2
v0.3.0-rc3
v0.6.0
v0.6.0-rc1
v0.6.0-rc2
v0.7.0
v0.7.0-rc1
v0.7.0-rc2
v0.7.1
v0.7.2
v0.7.3
v0.7.4