Описание
A vulnerability was found in all versions of containernetworking/plugins before version 0.8.6, that allows malicious containers in Kubernetes clusters to perform man-in-the-middle (MitM) attacks. A malicious container can exploit this flaw by sending rogue IPv6 router advertisements to the host or other containers, to redirect traffic to the malicious container.
A vulnerability was found in affected container networking implementations that allow malicious containers in Kubernetes clusters to perform man-in-the-middle (MitM) attacks. A malicious container can exploit this flaw by sending “rogue” IPv6 router advertisements to the host or other containers, to redirect traffic to the malicious container.
Отчет
In OpenShift Container Platform 4, the default network plugin, OpenShift SDN, and OVN Kubernetes, do not forward IPv6 traffic, making this vulnerability not exploitable. The affected code from containernetworking/plugins is however still included in these plugins, hence this vulnerability is rated Low for both OpenShift SDN and OVN-Kubernetes. IPv6 traffic is not forwarded by the OpenShift SDN in OpenShift Container Platform 3.11, making this vulnerability not exploitable. However, the affected code from containernetworking/plugins is still included in the atomic-openshift package, hence this vulnerability is rated Low for OpenShift Container Platform 3.11.
Меры по смягчению последствий
Prevent untrusted, non-privileged containers from running with CAP_NET_RAW.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 8 | container-tools:1.0/containernetworking-plugins | Out of support scope | ||
| Red Hat Enterprise Linux 8 | container-tools:2.0/containernetworking-plugins | Affected | ||
| Red Hat OpenShift Container Platform 3.11 | atomic-openshift | Not affected | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-container-networking-plugins-rhel8 | Affected | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-ovn-kubernetes | Affected | ||
| Red Hat OpenShift Container Platform 4 | openshift4/sriov-cni-rhel9 | Will not fix | ||
| Red Hat OpenShift Virtualization 1 | multus-cni | Will not fix | ||
| Red Hat OpenShift Virtualization 1 | ovs-cni-plugin | Will not fix | ||
| Red Hat OpenShift Virtualization 2 | ovs-cni-plugin | Affected | ||
| Red Hat Enterprise Linux 7 Extras | containernetworking-plugins | Fixed | RHSA-2020:2684 | 23.06.2020 |
Показывать по
Дополнительная информация
Статус:
EPSS
6 Medium
CVSS3
Связанные уязвимости
A vulnerability was found in all versions of containernetworking/plugins before version 0.8.6, that allows malicious containers in Kubernetes clusters to perform man-in-the-middle (MitM) attacks. A malicious container can exploit this flaw by sending rogue IPv6 router advertisements to the host or other containers, to redirect traffic to the malicious container.
A vulnerability was found in all versions of containernetworking/plugins before version 0.8.6, that allows malicious containers in Kubernetes clusters to perform man-in-the-middle (MitM) attacks. A malicious container can exploit this flaw by sending rogue IPv6 router advertisements to the host or other containers, to redirect traffic to the malicious container.
A vulnerability was found in all versions of containernetworking/plugi ...
EPSS
6 Medium
CVSS3