Vulnerability CVE-2021-25737 was recently disclosed by Kubernetes. This vulnerability is related to the kube-apiserver component. Kubernetes does not check whether the IP address used by the endpoint of an EndpointSlice is valid. This can be exploited by attackers to redirect traffic to the network in which cluster nodes are deployed. This topic describes vulnerability CVE-2021-25737, the impacts of, and fixes for this vulnerability.

Vulnerability CVE-2021-25737 is rated as low severity and the Common Vulnerability Scoring System (CVSS) score of the vulnerability is 2.7.

Symptom

You can list all EndpointSlices in your cluster by running kubectl commands or calling the API. If the IP address of the endpoint of an EndpointSlice falls within 127.0.0.0/8 or 169.254.0.0/16, the cluster is exposed to attacks that exploit this vulnerability. For more information, see #101084.

Impacts

The following kube-apiserver versions are affected:

  • v1.21.0
  • V1.20.0 to V1.20.6
  • V1.19.0 to V1.19.10
  • V1.16.0 to V1.18.18
    Note By default, the EndpointSlice feature is disabled in kube-apiserver 1.16 to 1.18. Therefore, clusters that use default kube-apiserver settings are not affected.

This vulnerability is fixed in the following Kubernetes versions:

  • v1.21.1
  • v1.20.7
  • v1.19.11
  • v1.18.19

Fixes

You can deploy the gatekeeper component to function as a validating admission webhook. This can prohibit access to the cluster network from EndpointSlices whose endpoint IP addresses fall within 127.0.0.0/8 or 169.254.0.0/16. For more information, see gatekeeper.