CVE-2019-9946

Name of the Vulnerable Software and Affected Versions CNI versions 0.7.4 and earlier Kubernetes versions prior to 1.11.9 Kubernetes versions prior to 1.12.7 Kubernetes versions prior to 1.13.5 Kubernetes versions prior to 1.14.0

Description The issue is related to a network firewall misconfiguration in the CNI 'portmap' plugin. This plugin is used to set up HostPorts for CNI and inserts rules at the front of the iptables nat chains, which take precedence over the KUBE-SERVICES chain. As a result, the HostPort/portmap rule could match incoming traffic even if there were better fitting, more specific service definition rules like NodePorts later in the chain.

Recommendations For CNI version 0.7.4, update to version 0.7.5 to resolve the issue. For Kubernetes versions prior to 1.11.9, update to version 1.11.9 or later. For Kubernetes versions prior to 1.12.7, update to version 1.12.7 or later. For Kubernetes versions prior to 1.13.5, update to version 1.13.5 or later. For Kubernetes versions prior to 1.14.0, update to version 1.14.0 or later.