Man-in-the-Middle (MitM) Affecting github.com/kubernetes/kubernetes package, versions <1.21.0-alpha.1


0.0
medium

Snyk CVSS

    Exploit Maturity Proof of concept
    Attack Complexity Low
Expand this section
NVD
5 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-GOLANG-GITHUBCOMKUBERNETESKUBERNETES-1048854
  • published 8 Dec 2020
  • disclosed 7 Dec 2020
  • credit Etienne Champetier of Anevia

How to fix?

Upgrade github.com/kubernetes/kubernetes to version 1.21.0-alpha.1 or higher.

Overview

github.com/kubernetes/kubernetes is a Production-Grade Container Scheduling and Management.

Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). An attacker that is able to create a ClusterIP service and set the spec.externalIPs field can intercept traffic to that IP. An attacker that is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.

Mitigations have been published:

  1. To restrict the use of external IPs we are providing an admission webhook container: k8s.gcr.io/multitenancy/externalip-webhook:v1.0.0. The source code and deployment instructions are published at https://github.com/kubernetes-sigs/externalip-webhook.
  2. Alternatively, external IPs can be restricted using OPA Gatekeeper. A sample ConstraintTemplate and Constraint can be found here: https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/general/externalip.