Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2019-9946

UNKNOWN
Published 2019-04-02T17:22:52
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2019-9946. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

Cloud Native Computing Foundation (CNCF) CNI (Container Networking Interface) 0.7.4 has a network firewall misconfiguration which affects Kubernetes. The CNI 'portmap' plugin, used to setup HostPorts for CNI, inserts rules at the front of the iptables nat chains; which take precedence over the KUBE- SERVICES chain. Because of this, the HostPort/portmap rule could match incoming traffic even if there were better fitting, more specific service definition rules like NodePorts later in the chain. The issue is fixed in CNI 0.7.5 and Kubernetes 1.11.9, 1.12.7, 1.13.5, and 1.14.0.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

⚠ Unreviewed HIGH

GHSA-6g96-g4m6-hw69

Advisory Details

Cloud Native Computing Foundation (CNCF) CNI (Container Networking Interface) 0.7.4 has a network firewall misconfiguration which affects Kubernetes. The CNI 'portmap' plugin, used to setup HostPorts for CNI, inserts rules at the front of the iptables nat chains; which take precedence over the KUBE- SERVICES chain. Because of this, the HostPort/portmap rule could match incoming traffic even if there were better fitting, more specific service definition rules like NodePorts later in the chain. The issue is fixed in CNI 0.7.5 and Kubernetes 1.11.9, 1.12.7, 1.13.5, and 1.14.0.

CVSS Scoring

CVSS Score

7.5

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2019-9946
WEB https://github.com/containernetworking/plugins/pull/269#issuecomment-477683272
WEB https://access.redhat.com/errata/RHBA-2019:0862
WEB https://lists.fedoraproject.org/archives/list/[email protected]/message/FCN66VYB3XS76SYH567SO7N3I254JOCT
WEB https://lists.fedoraproject.org/archives/list/[email protected]/message/SGOOWAELGH3F7OXRBPH3HCNZELNLXYTW
WEB https://security.netapp.com/advisory/ntap-20190416-0002

Advisory provided by GitHub Security Advisory Database. Published: May 13, 2022, Modified: May 13, 2022

References

https://github.com/containernetworking/plugins/pull/269#issuecomment-477683272
https://security.netapp.com/advisory/ntap-20190416-0002/
https://access.redhat.com/errata/RHBA-2019:0862
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FCN66VYB3XS76SYH567SO7N3I254JOCT/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGOOWAELGH3F7OXRBPH3HCNZELNLXYTW/

HackerOne Reports

IPv4 only clusters susceptible to MitM attacks via IPv6 rogue router advertisements Medium
champtar
Kubernetes
Man-in-the-Middle
View Report
Published: 2019-04-02T17:22:52
Last Modified: 2024-08-04T22:10:08.508Z
Copied to clipboard!