Help Center/ Cloud Container Engine/ Product Bulletin/ Vulnerability Notices/ Notice on the Kubernetes Security Vulnerability (CVE-2020-8554)
Updated on 2023-08-02 GMT+08:00

Notice on the Kubernetes Security Vulnerability (CVE-2020-8554)

Description

CVE-2020-8554 is a man-in-the-middle (MITM) vulnerability that exists in every version of Kubernetes with the most significant impact on multi-tenant clusters. A potential attacker who has the permissions to create and update Services and pods is able to intercept traffic from other pods or nodes in the cluster. By setting the spec.externalIPs field of a Service, a potential attacker can intercept the traffic of other pods or nodes that access this externalIP (for example, a well-known public IP address) and forward the traffic to a malicious pod created by the attacker, causing a man-in-the-middle attack. For Services, attackers can initiate MITM attacks by modifying the status.loadBalancer.ingress.ip field.

Table 1 Vulnerability information

Type

CVE-ID

Severity

Discovered

Traffic interception

CVE-2020-8554

Medium

2020-12-07

Impact

Multi-tenant clusters;

Clusters of all Kubernetes versions

Solution

You are advised to check all Services that use externalIP and loadBalancerIP to determine whether there are vulnerable Services.

This bug is caused by a design defect in Kubernetes. You can take precautionary measures as follows:

  • Restrict the use of loadBalancerIP

    The Kubernetes community does not recommend that the cluster administrator assign the patch permissions of the Service and status objects to users in the cluster. Therefore, the community does not provide preventive measures for loadBalancerIP. If you need to restrict the use of loadBalancerIP, you can refer to the preventive measures for externalIP.