1 files changed, 51 insertions, 0 deletions
diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2020-8558.patch b/recipes-containers/kubernetes/kubernetes/CVE-2020-8558.patch
new file mode 100644
index 00000000..9eeed26c
--- /dev/null
+++ b/recipes-containers/kubernetes/kubernetes/CVE-2020-8558.patch
@@ -0,0 +1,51 @@
+From d22a61e21d677f7527bc8a4aeb3288c5e11dd49b Mon Sep 17 00:00:00 2001
+From: Casey Callendrello <cdc@redhat.com>
+Date: Fri, 29 May 2020 13:03:37 +0200
+Subject: [PATCH] kubelet: block non-forwarded packets from crossing the
+ localhost boundary
+We set route_localnet so that host-network processes can connect to
+<127.0.0.1:NodePort> and it still works. This, however, is too
+permissive.
+So, block martians that are not already in conntrack.
+See: #90259
+Signed-off-by: Casey Callendrello <cdc@redhat.com>
+CVE: CVE-2020-8558
+Upstream-Status: Backport [https://github.com/kubernetes/kubernetes.git branch:release-1.16]
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
+---
+ src/import/pkg/kubelet/kubelet_network_linux.go | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+diff --git a/src/import/pkg/kubelet/kubelet_network_linux.go b/src/import/pkg/kubelet/kubelet_network_linux.go
+index 1c9ad46b989..d18ab75a053 100644
+--- a/src/import/pkg/kubelet/kubelet_network_linux.go
+++ b/src/import/pkg/kubelet/kubelet_network_linux.go
+@@ -68,6 +68,22 @@ func (kl *Kubelet) syncNetworkUtil() {
+                klog.Errorf("Failed to ensure rule to drop packet marked by %v in %v chain %v: %v", KubeMarkDropChain, utiliptables.TableFilter, KubeFirewallChain, err)
+                return
+        }
+
+       // drop all non-local packets to localhost if they're not part of an existing
+       // forwarded connection. See #90259
+       if !kl.iptClient.IsIpv6() { // ipv6 doesn't have this issue
+               if _, err := kl.iptClient.EnsureRule(utiliptables.Append, utiliptables.TableFilter, KubeFirewallChain,
+                       "-m", "comment", "--comment", "block incoming localnet connections",
+                       "--dst", "127.0.0.0/8",
+                       "!", "--src", "127.0.0.0/8",
+                       "-m", "conntrack",
+                       "!", "--ctstate", "RELATED,ESTABLISHED,DNAT",
+                       "-j", "DROP"); err != nil {
+                       klog.Errorf("Failed to ensure rule to drop invalid localhost packets in %v chain %v: %v", utiliptables.TableFilter, KubeFirewallChain, err)
+                       return
+               }
+       }
+
+        if _, err := kl.iptClient.EnsureRule(utiliptables.Prepend, utiliptables.TableFilter, utiliptables.ChainOutput, "-j", string(KubeFirewallChain)); err != nil {
+                klog.Errorf("Failed to ensure that %s chain %s jumps to %s: %v", utiliptables.TableFilter, utiliptables.ChainOutput, KubeFirewallChain, err)
+                return
+-- 
+2.17.0

diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2020-8558.patch b/recipes-containers/kubernetes/kubernetes/CVE-2020-8558.patch new file mode 100644 index 00000000..9eeed26c --- /dev/null +++ b/recipes-containers/kubernetes/kubernetes/CVE-2020-8558.patch
@@ -0,0 +1,51 @@
	1	From d22a61e21d677f7527bc8a4aeb3288c5e11dd49b Mon Sep 17 00:00:00 2001
	2	From: Casey Callendrello <cdc@redhat.com>
	3	Date: Fri, 29 May 2020 13:03:37 +0200
	4	Subject: [PATCH] kubelet: block non-forwarded packets from crossing the
	5	localhost boundary
	6
	7	We set route_localnet so that host-network processes can connect to
	8	<127.0.0.1:NodePort> and it still works. This, however, is too
	9	permissive.
	10
	11	So, block martians that are not already in conntrack.
	12
	13	See: #90259
	14	Signed-off-by: Casey Callendrello <cdc@redhat.com>
	15	CVE: CVE-2020-8558
	16	Upstream-Status: Backport [https://github.com/kubernetes/kubernetes.git branch:release-1.16]
	17	Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
	18	---
	19	src/import/pkg/kubelet/kubelet_network_linux.go \| 16 ++++++++++++++++
	20	1 file changed, 16 insertions(+)
	21
	22	diff --git a/src/import/pkg/kubelet/kubelet_network_linux.go b/src/import/pkg/kubelet/kubelet_network_linux.go
	23	index 1c9ad46b989..d18ab75a053 100644
	24	--- a/src/import/pkg/kubelet/kubelet_network_linux.go
	25	+++ b/src/import/pkg/kubelet/kubelet_network_linux.go
	26	@@ -68,6 +68,22 @@ func (kl *Kubelet) syncNetworkUtil() {
	27	klog.Errorf("Failed to ensure rule to drop packet marked by %v in %v chain %v: %v", KubeMarkDropChain, utiliptables.TableFilter, KubeFirewallChain, err)
	28	return
	29	}
	30	+
	31	+ // drop all non-local packets to localhost if they're not part of an existing
	32	+ // forwarded connection. See #90259
	33	+ if !kl.iptClient.IsIpv6() { // ipv6 doesn't have this issue
	34	+ if _, err := kl.iptClient.EnsureRule(utiliptables.Append, utiliptables.TableFilter, KubeFirewallChain,
	35	+ "-m", "comment", "--comment", "block incoming localnet connections",
	36	+ "--dst", "127.0.0.0/8",
	37	+ "!", "--src", "127.0.0.0/8",
	38	+ "-m", "conntrack",
	39	+ "!", "--ctstate", "RELATED,ESTABLISHED,DNAT",
	40	+ "-j", "DROP"); err != nil {
	41	+ klog.Errorf("Failed to ensure rule to drop invalid localhost packets in %v chain %v: %v", utiliptables.TableFilter, KubeFirewallChain, err)
	42	+ return
	43	+ }
	44	+ }
	45	+
	46	if _, err := kl.iptClient.EnsureRule(utiliptables.Prepend, utiliptables.TableFilter, utiliptables.ChainOutput, "-j", string(KubeFirewallChain)); err != nil {
	47	klog.Errorf("Failed to ensure that %s chain %s jumps to %s: %v", utiliptables.TableFilter, utiliptables.ChainOutput, KubeFirewallChain, err)
	48	return
	49	--
	50	2.17.0
	51