Candidate: CVE-2020-8562
PublicDate: 2022-02-01 11:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8562
 https://www.openwall.com/lists/oss-security/2021/05/04/8
Description:
 As mitigations to a report from 2019 and CVE-2020-8555, Kubernetes attempts
 to prevent proxied connections from accessing link-local or localhost
 networks when making user-driven connections to Services, Pods, Nodes, or
 StorageClass service providers. As part of this mitigation Kubernetes does
 a DNS name resolution check and validates that response IPs are not in the
 link-local (169.254.0.0/16) or localhost (127.0.0.0/8) range. Kubernetes
 then performs a second DNS resolution without validation for the actual
 connection. If a non-standard DNS server returns different non-cached
 responses, a user may be able to bypass the proxy IP restriction and access
 private networks on the control plane.
Ubuntu-Description:
Notes:
 leosilva> kubernates is in fact a kubernetes installer
 leosilva> that calls snap, not the package it self.
Mitigation:
Bugs:
Priority: low
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N [3.1 LOW]

Patches_kubernetes:
upstream_kubernetes: needs-triage
precise/esm_kubernetes: DNE
trusty_kubernetes: DNE
trusty/esm_kubernetes: DNE
xenial_kubernetes: DNE
bionic_kubernetes: DNE
focal_kubernetes: needs-triage
groovy_kubernetes: ignored (reached end-of-life)
hirsute_kubernetes: ignored (reached end-of-life)
impish_kubernetes: needs-triage
jammy_kubernetes: needs-triage
devel_kubernetes: needs-triage