CVE-2020-8555: Kubernetes kube-controller-manager SSRF
First published: Tue Apr 07 2020(Updated: )
The Kubernetes kube-controller-manager in versions v1.0-1.14, versions prior to v1.15.12, v1.16.9, v1.17.5, and version v1.18.0 are vulnerable to a Server Side Request Forgery (SSRF) that allows certain authorized users to leak up to 500 bytes of arbitrary information from unprotected endpoints within the master's host network (such as link-local or loopback services).
Credit: jordan@liggitt.net jordan@liggitt.net
| Affected Software | Affected Version | How to fix |
|---|---|---|
| go/k8s.io/kubernetes | <1.15.12 | 1.15.12 |
| go/k8s.io/kubernetes | >=1.16.0<1.16.9 | 1.16.9 |
| go/k8s.io/kubernetes | >=1.17.0<1.17.4 | 1.17.4 |
| go/k8s.io/kubernetes | >=1.18.0<1.18.1 | 1.18.1 |
| redhat/kube-controller-manager | <1.18.1 | 1.18.1 |
| redhat/kube-controller-manager | <1.17.5 | 1.17.5 |
| redhat/kube-controller-manager | <1.15.12 | 1.15.12 |
| redhat/atomic-openshift | <0:3.11.232-1.git.0.a5bc32f.el7 | 0:3.11.232-1.git.0.a5bc32f.el7 |
| redhat/openshift | <0:4.2.36-202006211650.p0.git.0.1fe246f.el7 | 0:4.2.36-202006211650.p0.git.0.1fe246f.el7 |
| redhat/openshift | <0:4.3.25-202006060952.git.1.96c30f6.el7 | 0:4.3.25-202006060952.git.1.96c30f6.el7 |
| redhat/openshift | <0:4.4.0-202006061254.git.1.dc84fb4.el8 | 0:4.4.0-202006061254.git.1.dc84fb4.el8 |
| Kubernetes Kubernetes | <1.15.11 | |
| Kubernetes Kubernetes | >=1.16.0<1.16.9 | |
| Kubernetes Kubernetes | >=1.17.0<1.17.5 | |
| Kubernetes Kubernetes | =1.18.0 | |
| Fedoraproject Fedora | =32 |
Remedy
Restrict use of the vulnerable volume type and restrict StorageClass write permissions via RBAC
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2020-8555
- https://github.com/kubernetes/kubernetes/issues/91542
- https://github.com/kubernetes/kubernetes/pull/89794
- https://groups.google.com/d/topic/kubernetes-security-announce/kEK27tqqs30/discussion
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3SOCLOPTSYABTE4CLTSPDIFE6ZZZR4LX/
- https://security.netapp.com/advisory/ntap-20200724-0005/
- http://www.openwall.com/lists/oss-security/2020/06/01/4
- http://www.openwall.com/lists/oss-security/2021/05/04/8
- https://github.com/advisories/GHSA-x6mj-w4jf-jmgw (Advisory)
- https://www.cve.org/CVERecord?id=CVE-2020-8555 https://nvd.nist.gov/vuln/detail/CVE-2020-8555 https://groups.google.com/forum/#!topic/kubernetes-security-announce/kEK27tqqs30
- https://bugzilla.redhat.com/show_bug.cgi?id=1821583
- https://access.redhat.com/errata/RHSA-2020:2479
- https://access.redhat.com/errata/RHSA-2020:2594
- https://access.redhat.com/errata/RHSA-2020:2440
- https://access.redhat.com/errata/RHSA-2020:2441
- https://access.redhat.com/errata/RHSA-2020:2448
- https://access.redhat.com/errata/RHSA-2020:2449
- https://access.redhat.com/security/cve/cve-2020-8555
- https://groups.google.com/forum/#!topic/kubernetes-security-announce/kEK27tqqs30
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1842692
- https://github.com/kubernetes/kubernetes/pull/89796
- https://github.com/kubernetes/kubernetes/pull/89837
- https://github.com/kubernetes/kubernetes/pull/89838
- https://github.com/kubernetes/kubernetes/pull/89839
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3SOCLOPTSYABTE4CLTSPDIFE6ZZZR4LX/
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2020-8555?
CVE-2020-8555 is a vulnerability in the Kubernetes kube-controller-manager that allows certain authorized users to leak up to 500 bytes of arbitrary information from unprotected endpoints.
What is the severity of CVE-2020-8555?
The severity of CVE-2020-8555 is medium, with a CVSS score of 6.3.
How can I fix CVE-2020-8555?
To fix CVE-2020-8555, you need to upgrade to Kubernetes versions 1.15.12, 1.16.9, 1.17.5, or 1.18.1, depending on the affected version.
Where can I find more information about CVE-2020-8555?
You can find more information about CVE-2020-8555 at the following references: [CVE-2020-8555](https://www.cve.org/CVERecord?id=CVE-2020-8555), [NVD](https://nvd.nist.gov/vuln/detail/CVE-2020-8555), [Kubernetes Security Announce](https://groups.google.com/forum/#!topic/kubernetes-security-announce/kEK27tqqs30), [Bugzilla Red Hat](https://bugzilla.redhat.com/show_bug.cgi?id=1821583), [Red Hat Advisory](https://access.redhat.com/errata/RHSA-2020:2479).
What is the Common Weakness Enumeration (CWE) of CVE-2020-8555?
The CWEs associated with CVE-2020-8555 are CWE-918 (Server-Side Request Forgery) and CWE-200 (Information Exposure).
- collector/github-advisory-latest
- alias/GHSA-x6mj-w4jf-jmgw
- alias/CVE-2020-8555
- collector/github-advisory
- collector/redhat-cve
- collector/nvd-index
- collector/nvd-cve
- agent/author
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- agent/severity
- agent/remedy
- agent/weakness
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/references
- agent/title
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/trending
- agent/tags
- agent/source
- package-manager/go
- package-manager/redhat
- vendor/kubernetes
- canonical/kubernetes kubernetes
- version/kubernetes kubernetes/1.16.0
- version/kubernetes kubernetes/1.17.0
- version/kubernetes kubernetes/1.18.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/32