diff options
Diffstat (limited to 'recipes-containers/kubernetes/kubernetes/CVE-2020-8558.patch')
-rw-r--r-- | recipes-containers/kubernetes/kubernetes/CVE-2020-8558.patch | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2020-8558.patch b/recipes-containers/kubernetes/kubernetes/CVE-2020-8558.patch new file mode 100644 index 00000000..9eeed26c --- /dev/null +++ b/recipes-containers/kubernetes/kubernetes/CVE-2020-8558.patch | |||
@@ -0,0 +1,51 @@ | |||
1 | From d22a61e21d677f7527bc8a4aeb3288c5e11dd49b Mon Sep 17 00:00:00 2001 | ||
2 | From: Casey Callendrello <cdc@redhat.com> | ||
3 | Date: Fri, 29 May 2020 13:03:37 +0200 | ||
4 | Subject: [PATCH] kubelet: block non-forwarded packets from crossing the | ||
5 | localhost boundary | ||
6 | |||
7 | We set route_localnet so that host-network processes can connect to | ||
8 | <127.0.0.1:NodePort> and it still works. This, however, is too | ||
9 | permissive. | ||
10 | |||
11 | So, block martians that are not already in conntrack. | ||
12 | |||
13 | See: #90259 | ||
14 | Signed-off-by: Casey Callendrello <cdc@redhat.com> | ||
15 | CVE: CVE-2020-8558 | ||
16 | Upstream-Status: Backport [https://github.com/kubernetes/kubernetes.git branch:release-1.16] | ||
17 | Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> | ||
18 | --- | ||
19 | src/import/pkg/kubelet/kubelet_network_linux.go | 16 ++++++++++++++++ | ||
20 | 1 file changed, 16 insertions(+) | ||
21 | |||
22 | diff --git a/src/import/pkg/kubelet/kubelet_network_linux.go b/src/import/pkg/kubelet/kubelet_network_linux.go | ||
23 | index 1c9ad46b989..d18ab75a053 100644 | ||
24 | --- a/src/import/pkg/kubelet/kubelet_network_linux.go | ||
25 | +++ b/src/import/pkg/kubelet/kubelet_network_linux.go | ||
26 | @@ -68,6 +68,22 @@ func (kl *Kubelet) syncNetworkUtil() { | ||
27 | klog.Errorf("Failed to ensure rule to drop packet marked by %v in %v chain %v: %v", KubeMarkDropChain, utiliptables.TableFilter, KubeFirewallChain, err) | ||
28 | return | ||
29 | } | ||
30 | + | ||
31 | + // drop all non-local packets to localhost if they're not part of an existing | ||
32 | + // forwarded connection. See #90259 | ||
33 | + if !kl.iptClient.IsIpv6() { // ipv6 doesn't have this issue | ||
34 | + if _, err := kl.iptClient.EnsureRule(utiliptables.Append, utiliptables.TableFilter, KubeFirewallChain, | ||
35 | + "-m", "comment", "--comment", "block incoming localnet connections", | ||
36 | + "--dst", "127.0.0.0/8", | ||
37 | + "!", "--src", "127.0.0.0/8", | ||
38 | + "-m", "conntrack", | ||
39 | + "!", "--ctstate", "RELATED,ESTABLISHED,DNAT", | ||
40 | + "-j", "DROP"); err != nil { | ||
41 | + klog.Errorf("Failed to ensure rule to drop invalid localhost packets in %v chain %v: %v", utiliptables.TableFilter, KubeFirewallChain, err) | ||
42 | + return | ||
43 | + } | ||
44 | + } | ||
45 | + | ||
46 | if _, err := kl.iptClient.EnsureRule(utiliptables.Prepend, utiliptables.TableFilter, utiliptables.ChainOutput, "-j", string(KubeFirewallChain)); err != nil { | ||
47 | klog.Errorf("Failed to ensure that %s chain %s jumps to %s: %v", utiliptables.TableFilter, utiliptables.ChainOutput, KubeFirewallChain, err) | ||
48 | return | ||
49 | -- | ||
50 | 2.17.0 | ||
51 | |||