NULL Pointer Dereference Affecting kubeadm package, versions <0:1.17.9-1.0.1.el7


Severity

Recommended
0.0
high
0
10

Based on Oracle Linux security rating.

Threat Intelligence

EPSS
2.33% (82nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-ORACLE7-KUBEADM-2576402
  • published10 Apr 2022
  • disclosed2 Jun 2020

Introduced: 2 Jun 2020

CVE-2020-10739  (opens in a new tab)
CWE-476  (opens in a new tab)

How to fix?

Upgrade Oracle:7 kubeadm to version 0:1.17.9-1.0.1.el7 or higher.
This issue was patched in ELSA-2020-5765.

NVD Description

Note: Versions mentioned in the description apply only to the upstream kubeadm package and not the kubeadm package as distributed by Oracle. See How to fix? for Oracle:7 relevant fixed versions and status.

Istio 1.4.x before 1.4.9 and Istio 1.5.x before 1.5.4 contain the following vulnerability when telemetry v2 is enabled: by sending a specially crafted packet, an attacker could trigger a Null Pointer Exception resulting in a Denial of Service. This could be sent to the ingress gateway or a sidecar, triggering a null pointer exception which results in a denial of service. This also affects servicemesh-proxy where a null pointer exception flaw was found in servicemesh-proxy. When running Telemetry v2 (not on by default in version 1.4.x), an attacker could send a specially crafted packet to the ingress gateway or proxy sidecar, triggering a denial of service.

CVSS Base Scores

version 3.1