Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-25736: For LoadBalancer Service type don't create a HNS policy for empty or invalid external loadbalancer IP by sbangari · Pull Request #99958 · kubernetes/kubernetes

Kube-proxy on Windows can unintentionally forward traffic to local processes listening on the same port (“spec.ports[*].port”) as a LoadBalancer Service when the LoadBalancer controller does not set the “status.loadBalancer.ingress[].ip” field. Clusters where the LoadBalancer controller sets the “status.loadBalancer.ingress[].ip” field are unaffected.

CVE
Open in Source
#windows#kubernetes

What type of PR is this?

/kind bug

What this PR does / why we need it:

The PR fixes an issue where an empty IP address value in the load balancer ingress IP field is breaking the data path. Kube proxy doesn’t honor the ingress IP address being empty and plumbs an invalid HNS policy. The fix prevents the plumbing of such invalid HNS policy.

Which issue(s) this PR fixes:

Fixes #99964

Special notes for your reviewer:****Does this PR introduce a user-facing change?****Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

Related news

GHSA-35c7-w35f-xwgh: Kube-proxy may unintentionally forward traffic

Kube-proxy on Windows can unintentionally forward traffic to local processes listening on the same port (`spec.ports[*].port`) as a LoadBalancer Service when the LoadBalancer controller does not set the `status.loadBalancer.ingress[].ip` field. Clusters where the LoadBalancer controller sets the `status.loadBalancer.ingress[].ip` field are unaffected.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE