IBM Support

Security Bulletin: IBM Cloud Private is vulnerable to Kubernetes vulnerabilities

Security Bulletin


Summary

IBM Cloud Private is vulnerable to Kubernetes vulnerabilities

Vulnerability Details

CVEID:   CVE-2020-8555
DESCRIPTION:   Kubernetes is vulnerable to server-side request forgery, caused by a flaw in the kube-controller-manager. By using a specially-crafted argument, a remote authenticated attacker could exploit this vulnerability to conduct SSRF attack to leak up to 500 bytes of arbitrary information from unprotected endpoints.
CVSS Base score: 3.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/182744 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N)

CVEID:   CVE-2020-8553
DESCRIPTION:   Kubernetes ingress-nginx could allow a remote authenticated attacker to bypass security restrictions, caused by a flaw when the annotation nginx.ingress.kubernetes.io/auth-type: basic is used. By sending a specially-crafted request, an attacker could exploit this vulnerability to create a new Ingress definition and replace the password file.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/186050 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N)

CVEID:   CVE-2018-1002102
DESCRIPTION:   Kubernetes API server could allow a remote authenticated attacker to conduct phishing attacks, caused by an improper validation of URL redirection. An attacker could exploit this vulnerability using a specially-crafted URL to redirect a victim to arbitrary Web sites.
CVSS Base score: 2.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/172732 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N)

CVEID:   CVE-2019-11252
DESCRIPTION:   Kubernetes kube-controller-manager could allow a remote authenticated attacker to obtain sensitive information, caused by the leaking of user credentials in error messages in the mount failure logs and events for AzureFile and CephFS volumes. By gaining access to the log files, an attacker could exploit this vulnerability to obtain user credentials.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185780 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

CVEID:   CVE-2020-8558
DESCRIPTION:   Kubernetes kube-proxy could allow a remote attacker to bypass security restrictions, caused by a default insecure port setting. By sending a specially-crafted request, an attacker could exploit this vulnerability to gain access to TCP and UDP services on the node(s) which are bound to 127.0.0.1.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/184769 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

Affected Products and Versions

Affected Product(s)Version(s)
IBM Cloud Private3.2.1 CD
IBM Cloud Private3.2.2 CD

Remediation/Fixes

Product defect fixes and security updates are only available for the two most recent Continuous Delivery (CD) update packages
  • IBM Cloud Private 3.2.1
  • IBM Cloud Private 3.2.2


For IBM Cloud Private 3.2.1, the defect fixes for Kubernetes requires an update to the Kubernetes version. First apply the 3.2.1.2003 fix pack and then apply either the 3.2.2.2006 fixpack or the 3.2.2.2008 fixpack. Then apply the 3.2.2.2012 fixpack. The 3.2.2.2006 or the 3.2.2.2008 fixpack updates Kubernetes from version 1.13.12 to 1.16.7. The 3.2.2.2012 updates Kubernetes from version 1.16.7 to 1.19


For IBM Cloud Private 3.2.2, apply fix pack:


For IBM Cloud Private 3.1.0, 3.1.1, 3.1.2, 3.2.0:

  • Upgrade to the latest Continuous Delivery (CD) update package, IBM Cloud Private 3.2.2. 
  • If required, individual product fixes can be made available between CD update packages for resolution of problems. Contact IBM support for assistance

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

26 Feb 2021: Initial Publication

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Document Location

Worldwide

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSBS6K","label":"IBM Cloud Private"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"all","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
26 February 2021

Initial Publish date:
26 February 2021

UID

ibm16417467

Page Feedback