CVE-2020-8554

Name of the Vulnerable Software and Affected Versions Kubernetes API server versions prior to a fixed version (the fixed version is not specified)

Description The issue allows an attacker who can create a ClusterIP service and set the spec.externalIPs field to intercept traffic to that IP address. Additionally, an attacker who can patch the status of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect, potentially allowing for man-in-the-middle attacks. This behavior is considered a design flaw and has been known since 2016.

Recommendations As a temporary workaround, consider using admission controllers to restrict the creation of ClusterIP services with the spec.externalIPs field set. Restrict access to patch the status of LoadBalancer services to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.