A security issue was discovered in Kubernetes where a user may be able to redirect pod traffic to private networks on a Node. Kubernetes already prevents creation of Endpoint IPs in the localhost or link-local range, but the same validation was not performed on EndpointSlice IPs.
The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete, leading to resultant weaknesses.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Kubernetes | Kubernetes | 1.16.0 (including) | 1.18.19 (excluding) |
| Kubernetes | Kubernetes | 1.19.0 (including) | 1.19.10 (excluding) |
| Kubernetes | Kubernetes | 1.20.0 (including) | 1.20.7 (excluding) |
| Kubernetes | Kubernetes | 1.21.0 (including) | 1.21.0 (including) |
| Red Hat OpenShift Container Platform 4.8 | RedHat | openshift-0:4.8.0-202107161820.p0.git.051ac4f.assembly.stream.el8 | * |
| Kubernetes | Ubuntu | groovy | * |
| Kubernetes | Ubuntu | hirsute | * |
| Kubernetes | Ubuntu | impish | * |
| Kubernetes | Ubuntu | kinetic | * |
| Kubernetes | Ubuntu | lunar | * |
| Kubernetes | Ubuntu | mantic | * |