[Security Advisory] CVE-2021-25736: Windows kube-proxy LoadBalancer contention

Skip to first unread message

Swamy Shivaganga Nagaraju

May 10, 2021, 11:35:35 PM5/10/21
to kubernete...@googlegroups.com, kuberne...@googlegroups.com, kubernetes-sec...@googlegroups.com, kubernetes-se...@googlegroups.com, distributo...@kubernetes.io, kubernetes+a...@discoursemail.com

Hello Kubernetes Community,

A security issue was discovered in the Windows version of kube-proxy where a process on a Node may be able to accept traffic intended for a LoadBalancer Service. Clusters without Windows nodes are unaffected. 


This issue has been rated Medium (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N)), and assigned CVE-2021-25736.


Kube-proxy on Windows can unintentionally forward traffic to local processes listening on the same port (“spec.ports[*].port”) as a LoadBalancer Service when the LoadBalancer controller does not set the “status.loadBalancer.ingress[].ip” field. Clusters where the LoadBalancer controller sets the “status.loadBalancer.ingress[].ip” field are unaffected.


Affected Components and Configurations

Windows kube-proxy. Clusters with Windows nodes are affected by this vulnerability.


Affected Versions

  • Kubernetes <= v1.20.5
  • Kubernetes <= v1.19.9
  • Kubernetes <= v1.18.17


Fixed Versions

This issue has been fixed in the following versions:

  • v1.21.0
  • v1.20.6
  • v1.19.10
  • v1.18.18





Unexpected processes listening on the same port as used by a LoadBalancer service could indicate exploitation of this issue, and should be investigated.

If you find evidence that this vulnerability has been exploited, please contact secu...@kubernetes.io

Additional Details
See the GitHub issue for more details: https://github.com/kubernetes/kubernetes/pull/99958


This vulnerability was discovered by  Eric Paris & Christian Hernandez from Red Hat.



Thank You,

  Swamy Shivaganga Nagaraju, on behalf of the Kubernetes Product Security Committee


Reply all
Reply to author
0 new messages