Vulnerability CVE-2021-25737 was recently disclosed by Kubernetes. This vulnerability is related to the kube-apiserver component. Kubernetes does not check whether the IP address used by the endpoint of an EndpointSlice is valid. This can be exploited by attackers to redirect traffic to the network in which cluster nodes are deployed. This topic describes vulnerability CVE-2021-25737, the impacts of, and fixes for this vulnerability.
Vulnerability CVE-2021-25737 is rated as low severity and the Common Vulnerability Scoring System (CVSS) score of the vulnerability is 2.7.
Symptom
You can list all EndpointSlices in your cluster by running kubectl commands or calling
the API. If the IP address of the endpoint of an EndpointSlice falls within 127.0.0.0/8
or 169.254.0.0/16
, the cluster is exposed to attacks that exploit this vulnerability. For more information,
see #101084.
Impacts
The following kube-apiserver versions are affected:
- v1.21.0
- V1.20.0 to V1.20.6
- V1.19.0 to V1.19.10
- V1.16.0 to V1.18.18
Note By default, the EndpointSlice feature is disabled in kube-apiserver 1.16 to 1.18. Therefore, clusters that use default kube-apiserver settings are not affected.
This vulnerability is fixed in the following Kubernetes versions:
- v1.21.1
- v1.20.7
- v1.19.11
- v1.18.19
Fixes
You can deploy the gatekeeper component to function as a validating admission webhook. This can prohibit access
to the cluster network from EndpointSlices whose endpoint IP addresses fall within
127.0.0.0/8
or 169.254.0.0/16
. For more information, see gatekeeper.