CVE-2020-8558: Kubernetes node setting allows for neighboring hosts to bypass localhost boundary
First published: Sat Apr 18 2020(Updated: )
A flaw was found in Kubernetes that allows attackers on adjacent networks to reach services exposed on localhost ports, previously thought to be unreachable. This flaw allows an attacker to gain privileges or access confidential information for any services listening on localhost ports that are not protected by authentication.
Credit: jordan@liggitt.net
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/atomic-openshift | <0:3.11.248-1.git.0.92ee8ac.el7 | 0:3.11.248-1.git.0.92ee8ac.el7 |
| redhat/openshift | <0:4.3.31-202007280738.p0.git.0.9884401.el7 | 0:4.3.31-202007280738.p0.git.0.9884401.el7 |
| redhat/openshift | <0:4.4.0-202007090832.p0.git.0.bc32fb1.el8 | 0:4.4.0-202007090832.p0.git.0.bc32fb1.el8 |
| redhat/openshift | <0:4.5.0-202007012112.p0.git.0.582d7fc.el7 | 0:4.5.0-202007012112.p0.git.0.582d7fc.el7 |
| Kubernetes Kubernetes | >=1.1.0<=1.16.10 | |
| Kubernetes Kubernetes | >=1.17.0<=1.17.6 | |
| Kubernetes Kubernetes | >=1.18.0<=1.18.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/kubernetes/kubernetes/issues/92315
- https://groups.google.com/g/kubernetes-announce/c/sI4KmlH3S2I/m/TljjxOBvBQAJ
- https://security.netapp.com/advisory/ntap-20200821-0001/
- https://github.com/kubernetes/kubernetes/issues/90259
- https://github.com/kubernetes/kubernetes/pull/91569
- https://groups.google.com/g/kubernetes-security-announce/c/B1VegbBDMTE
- https://access.redhat.com/errata/RHSA-2020:2413
- https://access.redhat.com/errata/RHSA-2020:2412
- https://access.redhat.com/security/cve/cve-2020-8558
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1857092
- https://access.redhat.com/errata/RHSA-2020:2927
- https://access.redhat.com/errata/RHSA-2020:2926
- https://access.redhat.com/errata/RHSA-2020:2992
- https://access.redhat.com/errata/RHSA-2020:3183
- https://access.redhat.com/errata/RHSA-2020:3184
- https://bugzilla.redhat.com/show_bug.cgi?id=1843358
- https://www.cve.org/CVERecord?id=CVE-2020-8558 https://nvd.nist.gov/vuln/detail/CVE-2020-8558 https://groups.google.com/g/kubernetes-security-announce/c/B1VegbBDMTE
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the vulnerability ID for this Kubernetes flaw?
The vulnerability ID for this flaw in Kubernetes is CVE-2020-8558.
What is the severity of CVE-2020-8558?
CVE-2020-8558 has a severity of 5.4, which is considered medium.
How does CVE-2020-8558 impact Kubernetes?
CVE-2020-8558 allows attackers on adjacent networks to reach TCP and UDP services bound to 127.0.0.1 running on the node or in the node's network namespace.
Which versions of Kubernetes are affected by CVE-2020-8558?
Versions 1.1.0-1.16.10, 1.17.0-1.17.6, and 1.18.0-1.18.3 of Kubernetes are affected by CVE-2020-8558.
How can I fix CVE-2020-8558 in Kubernetes?
To fix CVE-2020-8558 in Kubernetes, update to version 1.19.0, 1.18.4, or 1.17.7, depending on your current version.
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/softwarecombine
- agent/remedy
- agent/severity
- agent/author
- agent/weakness
- agent/references
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-8558
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/title
- agent/description
- agent/event
- agent/first-publish-date
- agent/tags
- agent/trending
- package-manager/redhat
- vendor/kubernetes
- canonical/kubernetes kubernetes
- version/kubernetes kubernetes/1.1.0
- version/kubernetes kubernetes/1.16.10
- version/kubernetes kubernetes/1.17.0
- version/kubernetes kubernetes/1.17.6
- version/kubernetes kubernetes/1.18.0
- version/kubernetes kubernetes/1.18.3