[Security Advisory] CVE-2020-8554: Man in the middle using LoadBalancer or ExternalIPs

[Security Advisory] CVE-2020-8554: Man in the middle using LoadBalancer or ExternalIPs
DRANK

Hello Kubernetes Community,A security issue was discovered with Kubernetes affecting multitenant clusters. If a potential attacker can already create or edit services and pods, then they may be able to intercept traffic from other pods (or nodes) in the cluster.This issue has been ratedmediumseverity (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), and assignedCVE-2020-8554.An attacker that is able to create a ClusterIP service and set the spec.externalIPs field can intercept traffic to that IP. An attacker that is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.This issue is a design flaw that cannot be mitigated without user-facing changes. With this public announcement, we can begin conversations about a long-term fix.Affected Components and ConfigurationsAll Kubernetes versions are affected. Multi-tenant clusters that grant tenant…

groups.google.com 4 years ago

Open page

https://groups.google.com/g/kubernetes-security-announce/c/iZWsF9nbKE8/m/5mb-7vc_AwAJ