Security Bulletin: Multiple vulnerabilities in Kubernetes affect IBM InfoSphere Information Server

CVEID:   CVE-2020-8557
DESCRIPTION:   Kubernetes kubelet is vulnerable to a denial of service, caused by an issue with not including the /etc/hostsfile file by the kubelet eviction manager when calculating ephemeral storage usage. By writing a large amount of data to the /etc/hostsfile, a local authenticated attacker could exploit this vulnerability to fill the storage space of the node and cause the node to fail.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185301 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2020-8559
DESCRIPTION:   Kubernetes kube-apiserver could allow a remote authenticated attacker to gain elevated privileges on the system, caused by a flaw when multiple clusters share the same certificate authority trusted by the client. By intercepting certain requests and sending a redirect response, an attacker could exploit this vulnerability to compromise other nodes.
CVSS Base score: 6.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185302 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H)

CVEID:   CVE-2020-8555
DESCRIPTION:   Kubernetes is vulnerable to server-side request forgery, caused by a flaw in the kube-controller-manager. By using a specially-crafted argument, a remote authenticated attacker could exploit this vulnerability to conduct SSRF attack to leak up to 500 bytes of arbitrary information from unprotected endpoints.
CVSS Base score: 3.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/182744 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N)

CVEID:   CVE-2020-8553
DESCRIPTION:   Kubernetes ingress-nginx could allow a remote authenticated attacker to bypass security restrictions, caused by a flaw when the annotation nginx.ingress.kubernetes.io/auth-type: basic is used. By sending a specially-crafted request, an attacker could exploit this vulnerability to create a new Ingress definition and replace the password file.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/186050 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N)

CVEID:   CVE-2018-1002102
DESCRIPTION:   Kubernetes API server could allow a remote authenticated attacker to conduct phishing attacks, caused by an improper validation of URL redirection. An attacker could exploit this vulnerability using a specially-crafted URL to redirect a victim to arbitrary Web sites.
CVSS Base score: 2.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/172732 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N)

CVEID:   CVE-2020-8558
DESCRIPTION:   Kubernetes kube-proxy could allow a remote attacker to bypass security restrictions, caused by a default insecure port setting. By sending a specially-crafted request, an attacker could exploit this vulnerability to gain access to TCP and UDP services on the node(s) which are bound to 127.0.0.1.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/184769 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

Third Party Entry:   182747
DESCRIPTION:   Kubernetes kubelet man-in-the-middle
CVSS Base score: 6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/182747 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L)