CVE-2019-9946

2019-04-0218:30:26

Debian Security Bug Tracker

security-tracker.debian.org

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.002

Percentile

62.0%

JSON

Cloud Native Computing Foundation (CNCF) CNI (Container Networking Interface) 0.7.4 has a network firewall misconfiguration which affects Kubernetes. The CNI ‘portmap’ plugin, used to setup HostPorts for CNI, inserts rules at the front of the iptables nat chains; which take precedence over the KUBE- SERVICES chain. Because of this, the HostPort/portmap rule could match incoming traffic even if there were better fitting, more specific service definition rules like NodePorts later in the chain. The issue is fixed in CNI 0.7.5 and Kubernetes 1.11.9, 1.12.7, 1.13.5, and 1.14.0.

OSVersionArchitecturePackageVersionFilename
Debian12allgolang-github-containernetworking-plugins< 1.1.1+ds1-3golang-github-containernetworking-plugins_1.1.1+ds1-3_all.deb
Debian11allgolang-github-containernetworking-plugins< 0.9.0-1golang-github-containernetworking-plugins_0.9.0-1_all.deb
Debian999allgolang-github-containernetworking-plugins< 1.1.1+ds1-3golang-github-containernetworking-plugins_1.1.1+ds1-3_all.deb
Debian13allgolang-github-containernetworking-plugins< 1.1.1+ds1-3golang-github-containernetworking-plugins_1.1.1+ds1-3_all.deb
Debian12allkubernetes< 1.17.4-1kubernetes_1.17.4-1_all.deb
Debian11allkubernetes< 1.17.4-1kubernetes_1.17.4-1_all.deb
Debian999allkubernetes< 1.17.4-1kubernetes_1.17.4-1_all.deb
Debian13allkubernetes< 1.17.4-1kubernetes_1.17.4-1_all.deb
Debian999allsingularity-container< 3.5.0+ds1-1singularity-container_3.5.0+ds1-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	golang-github-containernetworking-plugins	< 1.1.1+ds1-3	golang-github-containernetworking-plugins_1.1.1+ds1-3_all.deb
Debian	11	all	golang-github-containernetworking-plugins	< 0.9.0-1	golang-github-containernetworking-plugins_0.9.0-1_all.deb
Debian	999	all	golang-github-containernetworking-plugins	< 1.1.1+ds1-3	golang-github-containernetworking-plugins_1.1.1+ds1-3_all.deb
Debian	13	all	golang-github-containernetworking-plugins	< 1.1.1+ds1-3	golang-github-containernetworking-plugins_1.1.1+ds1-3_all.deb
Debian	12	all	kubernetes	< 1.17.4-1	kubernetes_1.17.4-1_all.deb
Debian	11	all	kubernetes	< 1.17.4-1	kubernetes_1.17.4-1_all.deb
Debian	999	all	kubernetes	< 1.17.4-1	kubernetes_1.17.4-1_all.deb
Debian	13	all	kubernetes	< 1.17.4-1	kubernetes_1.17.4-1_all.deb
Debian	999	all	singularity-container	< 3.5.0+ds1-1	singularity-container_3.5.0+ds1-1_all.deb