All errata/sisyphus/ALT-PU-2021-2101-2
ALT-PU-2021-2101-2

Package update kubernetes in branch sisyphus

Version1.20.8-alt1
Task#276507
Published2026-02-04
Max severityMEDIUM
Severity:

Closed issues (10)

BDU:2022-01684
MEDIUM6.5

Уязвимость компонента kube-apiserver программного средства управления кластерами виртуальных машин Kubernetes, позволяющая нарушителю нарушить целостность данных, а также вызвать отказ в обслуживании

Published: 2022-04-01
CVSS 3.xMEDIUM 6.5
CVSS:3.x/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
CVSS 2.0HIGH 8.5
CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:C/A:C
References
BDU:2022-02241
MEDIUM4.8

Уязвимость программного средства управления кластерами виртуальных машин Kubernetes, связанная с использованием открытой переадресации, позволяющая нарушителю получить доступ к конфиденциальным данным и нарушить их целостность

Published: 2022-04-14Modified: 2022-06-27
CVSS 3.xMEDIUM 4.8
CVSS:3.x/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CVSS 2.0MEDIUM 4.9
CVSS:2.0/AV:N/AC:M/Au:S/C:P/I:P/A:N
References
CVE-2020-8562
LOW3.1

As mitigations to a report from 2019 and CVE-2020-8555, Kubernetes attempts to prevent proxied connections from accessing link-local or localhost networks when making user-driven connections to Services, Pods, Nodes, or StorageClass service providers. As part of this mitigation Kubernetes does a DNS name resolution check and validates that response IPs are not in the link-local (169.254.0.0/16) or localhost (127.0.0.0/8) range. Kubernetes then performs a second DNS resolution without validation for the actual connection. If a non-standard DNS server returns different non-cached responses, a user may be able to bypass the proxy IP restriction and access private networks on the control plane.

Published: 2022-02-01Modified: 2024-11-21
CVSS 2.0LOW 3.5
CVSS:2.0/AV:N/AC:M/Au:S/C:P/I:N/A:N
CVSS 3.xLOW 3.1
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
References
CVE-2021-25735
MEDIUM6.5

A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters are only affected by this vulnerability if they run a Validating Admission Webhook for Nodes that denies admission based at least partially on the old state of the Node object. Validating Admission Webhook does not observe some previous fields.

Published: 2021-09-06Modified: 2024-11-21
CVSS 2.0MEDIUM 5.5
CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:P/A:P
CVSS 3.xMEDIUM 6.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
References
CVE-2021-25736
MEDIUM6.3

Kube-proxy on Windows can unintentionally forward traffic to local processes listening on the same port (“spec.ports[*].port”) as a LoadBalancer Service when the LoadBalancer controller does not set the “status.loadBalancer.ingress[].ip” field. Clusters where the LoadBalancer controller sets the “status.loadBalancer.ingress[].ip” field are unaffected.

Published: 2023-10-30Modified: 2025-06-12
CVSS 3.xMEDIUM 6.3
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
References
CVE-2021-25737
MEDIUM4.8

A security issue was discovered in Kubernetes where a user may be able to redirect pod traffic to private networks on a Node. Kubernetes already prevents creation of Endpoint IPs in the localhost or link-local range, but the same validation was not performed on EndpointSlice IPs.

Published: 2021-09-06Modified: 2024-11-21
CVSS 2.0MEDIUM 4.9
CVSS:2.0/AV:N/AC:M/Au:S/C:P/I:P/A:N
CVSS 3.xMEDIUM 4.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
References
GHSA-35c7-w35f-xwgh
MEDIUM5.8

Kube-proxy may unintentionally forward traffic

Published: 2023-10-30Modified: 2025-02-13
CVSS 3.xMEDIUM 5.8
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N
References
GHSA-g42g-737j-qx6j
MEDIUM6.5

Access Restriction Bypass in kube-apiserver

Published: 2021-05-28Modified: 2022-03-22
CVSS 3.xMEDIUM 6.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
References
GHSA-qh36-44jv-c8xj
LOW3.1

Potential proxy IP restriction bypass in Kubernetes

Published: 2022-02-02Modified: 2024-08-07
CVSS 3.xLOW 3.1
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
References