Hello Kubernetes Community,
A security issue was discovered in the Windows version of kube-proxy where a process on a Node may be able to accept traffic intended for a LoadBalancer Service. Clusters without Windows nodes are unaffected.
This issue has been rated Medium (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N)), and assigned CVE-2021-25736.
Kube-proxy on Windows can unintentionally forward traffic to local processes listening on the same port (“spec.ports[*].port”) as a LoadBalancer Service when the LoadBalancer controller does not set the “status.loadBalancer.ingress.ip” field. Clusters where the LoadBalancer controller sets the “status.loadBalancer.ingress.ip” field are unaffected.
Affected Components and Configurations
Windows kube-proxy. Clusters with Windows nodes are affected by this vulnerability.
This issue has been fixed in the following versions:
Unexpected processes listening on the same port as used by a LoadBalancer service could indicate exploitation of this issue, and should be investigated.
If you find evidence that this vulnerability has been exploited, please contact secu...@kubernetes.io
See the GitHub issue for more details: https://github.com/kubernetes/kubernetes/pull/99958
This vulnerability was discovered by Eric Paris & Christian Hernandez from Red Hat.
Swamy Shivaganga Nagaraju, on behalf of the Kubernetes Product Security Committee