CVE-2020-13597

Name of the Vulnerable Software and Affected Versions Calico versions 3.14.0 and below Calico Enterprise versions 2.8.2 and below

Description The issue allows a compromised pod with sufficient privilege to reconfigure the node's IPv6 interface, enabling the attacker to redirect network traffic from the node to the compromised pod, potentially leading to information disclosure. This occurs because the node accepts route advertisements by default when IPv6 is enabled but unused.

Recommendations For Calico versions 3.14.0 and below, consider disabling IPv6 on nodes where it is not in use to prevent the reconfiguration of the node's IPv6 interface. For Calico Enterprise versions 2.8.2 and below, restrict the privilege of pods to prevent them from reconfiguring the node's IPv6 interface. As a temporary workaround, consider disabling the acceptance of route advertisements by default on nodes to minimize the risk of exploitation.