{
  "threat_severity" : "Moderate",
  "public_date" : "2020-12-07T00:00:00Z",
  "bugzilla" : {
    "description" : "kubernetes: MITM using LoadBalancer or ExternalIPs",
    "id" : "1891051",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1891051"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-200",
  "details" : [ "Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.", "A flaw was found in kubernetes. If a potential attacker can already create or edit services and pods, then they may be able to intercept traffic from other pods (or nodes) in the cluster." ],
  "statement" : "OpenShift Container Platform (OCP) includes a builtin externalIP admission plugin, which restricts the use of Service eternalIPs to those configured by a cluster-admin. In OCP4 all externalIP ranges are disabled by default. In OCP 3.11, the default range is \"0.0.0.0/0\", which allows all IP addresses.\nThe second attack vector, via patching the Status of a LoadBalancer Service, is not possible unless permission to patch service/status is granted. OCP does not grant this permission to users who are not cluster-admins.\nOCP 4 is not affected by this vulnerability as it is secure by default. OCP 3.11 is affected, however the vulnerability can be by mitigated by configuring the builtin externalIP admission plugin.",
  "acknowledgement" : "Red Hat would like to thank the Kubernetes Product Security Committee for reporting this issue. Upstream acknowledges Etienne Champetier (Anevia) as the original reporter.",
  "affected_release" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 3.11",
    "release_date" : "2021-01-20T00:00:00Z",
    "advisory" : "RHSA-2021:0079",
    "cpe" : "cpe:/a:redhat:openshift:3.11::el7",
    "package" : "atomic-openshift-0:3.11.374-1.git.0.ebd3ee9.el7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "openshift",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat Storage 3",
    "fix_state" : "Not affected",
    "package_name" : "heketi",
    "cpe" : "cpe:/a:redhat:storage:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-8554\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-8554\nhttps://blog.champtar.fr/K8S_MITM_LoadBalancer_ExternalIPs/\nhttps://groups.google.com/g/kubernetes-security-announce/c/iZWsF9nbKE8" ],
  "name" : "CVE-2020-8554",
  "mitigation" : {
    "value" : "ExternalIP addresses ranges can be configured as described below. OCP 4 is secure by default, though cluster-admins can whitelist externalIP addresses as needed. OCP 3.11 can be secured by changing `externalIPNetworkCIDR` to \"0.0.0.0/32\", which blocks all externalIP address values.\nhttps://docs.openshift.com/container-platform/4.6/networking/configuring_ingress_cluster_traffic/configuring-externalip.html\nhttps://docs.openshift.com/container-platform/3.11/admin_guide/tcp_ingress_external_ports.html#service-externalip\nUsers can check if they have permission to patch the Status of a LoadBalancer Service with the command: `kubectl auth can-i patch service --subresource=status`. In OCP, by default only cluster-admins are granted this permission.",
    "lang" : "en:us"
  },
  "csaw" : false
}