CVE-2020-8558

Name of the Vulnerable Software and Affected Versions Kubernetes versions 1.1.0 through 1.16.10 Kubernetes versions 1.17.0 through 1.17.6 Kubernetes versions 1.18.0 through 1.18.3

Description A security issue in the Kubelet and kube-proxy components allows adjacent hosts to reach TCP and UDP services bound to 127.0.0.1 running on the node or in the node's network namespace. This means that services thought to be reachable only by other processes on the same host could be accessed by other hosts on the same LAN or by containers on the same node. For instance, a TCP service running on a node and listening on 127.0.0.1:1234 could be potentially reachable by other hosts or containers, posing a risk if the service does not require additional authentication. IPv6-only services on localhost are not affected by this issue.

Recommendations For versions 1.1.0 through 1.16.10, update to a version outside of this range to mitigate the risk. For versions 1.17.0 through 1.17.6, update to a version outside of this range to mitigate the risk. For versions 1.18.0 through 1.18.3, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider implementing additional authentication for services bound to 127.0.0.1 to prevent unauthorized access.