CVE-2019-9946

EUVD-2019-19300
Cloud Native Computing Foundation (CNCF) CNI (Container Networking Interface) 0.7.4 has a network firewall misconfiguration which affects Kubernetes. The CNI 'portmap' plugin, used to setup HostPorts for CNI, inserts rules at the front of the iptables nat chains; which take precedence over the KUBE- SERVICES chain. Because of this, the HostPort/portmap rule could match incoming traffic even if there were better fitting, more specific service definition rules like NodePorts later in the chain. The issue is fixed in CNI 0.7.5 and Kubernetes 1.11.9, 1.12.7, 1.13.5, and 1.14.0.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 40%
Affected Products (NVD)
VendorProductVersion
cncfportmap
𝑥
< 0.7.5
kuberneteskubernetes
𝑥
< 1.11.9
kuberneteskubernetes
1.12.0 ≤
𝑥
< 1.12.7
kuberneteskubernetes
1.13.0 ≤
𝑥
< 1.13.5
kuberneteskubernetes
1.13.6:beta0
kuberneteskubernetes
1.14.0:alpha0
kuberneteskubernetes
1.14.0:alpha1
kuberneteskubernetes
1.14.0:alpha2
kuberneteskubernetes
1.14.0:alpha3
kuberneteskubernetes
1.14.0:beta0
kuberneteskubernetes
1.14.0:beta1
kuberneteskubernetes
1.14.0:beta2
kuberneteskubernetes
1.14.0:rc1
netappcloud_insights
-
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
golang-github-containernetworking-plugins
bookworm
1.1.1+ds1-3
fixed
bullseye
0.9.0-1
fixed
sid
1.1.1+ds1-3
fixed
trixie
1.1.1+ds1-3
fixed
kubernetes
bookworm
1.20.5+really1.20.2-1.1
fixed
bullseye
1.20.5+really1.20.2-1
fixed
sid
1.20.5+really1.20.2-1.1
fixed
trixie
1.20.5+really1.20.2-1.1
fixed
singularity-container
sid
4.1.5+ds3-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
kubernetes
bionic
dne
cosmic
ignored
disco
ignored
eoan
ignored
focal
needs-triage
groovy
ignored
hirsute
ignored
impish
ignored
jammy
needs-triage
kinetic
ignored
lunar
ignored
mantic
ignored
noble
needs-triage
trusty
dne
xenial
dne
Common Weakness Enumeration
References
https://access.redhat.com/errata/RHBA-2019:0862
https://github.com/containernetworking/plugins/pull/269#issuecomment-477683272
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FCN66VYB3XS76SYH567SO7N3I254JOCT/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGOOWAELGH3F7OXRBPH3HCNZELNLXYTW/
https://security.netapp.com/advisory/ntap-20190416-0002/
https://access.redhat.com/errata/RHBA-2019:0862
https://github.com/containernetworking/plugins/pull/269#issuecomment-477683272
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FCN66VYB3XS76SYH567SO7N3I254JOCT/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGOOWAELGH3F7OXRBPH3HCNZELNLXYTW/
https://security.netapp.com/advisory/ntap-20190416-0002/