The CNI (Container Network Interface) project consists of a specification and libraries for writing plugins to configure network interfaces in Linux containers, along with a number of supported plugins. CNI concerns itself only with network connectivity of containers and removing allocated resourc es when the container is deleted.
{"photon": [{"lastseen": "2022-05-12T18:27:26", "description": "Updates of ['kubernetes'] packages of Photon OS have been released.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2019-04-03T00:00:00", "type": "photon", "title": "Important Photon OS Security Update - PHSA-2019-0148", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-9946"], "modified": "2019-04-03T00:00:00", "id": "PHSA-2019-0148", "href": "https://github.com/vmware/photon/wiki/Security-Update-2.0-148", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-11-03T21:00:30", "description": "An update of {'kubernetes'} packages of Photon OS has been released.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2019-04-03T00:00:00", "type": "photon", "title": "Home\nDownload Photon OS\nUser Documentation\nFAQ\nSecurity Advisories\nRelated Information\n\nLightwave - PHSA-2019-2.0-0148", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-9946"], "modified": "2019-04-03T00:00:00", "id": "PHSA-2019-2.0-0148", "href": "https://github.com/vmware/photon/wiki/Security-Updates-2-148", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-05-12T18:04:43", "description": "Updates of ['elfutils', 'binutils', 'krb5', 'nss', 'go', 'kubernetes', 'mesos'] packages of Photon OS have been released.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2019-06-17T00:00:00", "type": "photon", "title": "Important Photon OS Security Update - PHSA-2019-0239", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-12384", "CVE-2018-12404", "CVE-2018-16873", "CVE-2018-16874", "CVE-2018-17358", "CVE-2018-17360", "CVE-2018-20217", "CVE-2018-5729", "CVE-2019-0204", "CVE-2019-1002100", "CVE-2019-1002101", "CVE-2019-5736", "CVE-2019-7148", "CVE-2019-7149", "CVE-2019-7150", "CVE-2019-9074", "CVE-2019-9946"], "modified": "2019-06-17T00:00:00", "id": "PHSA-2019-0239", "href": "https://github.com/vmware/photon/wiki/Security-Update-1.0-239", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "fedora": [{"lastseen": "2021-07-28T14:46:51", "description": "The CNI (Container Network Interface) project consists of a specification and libraries for writing plugins to configure network interfaces in Linux containers, along with a number of supported plugins. CNI concerns itself only with network connectivity of containers and removing allocated resourc es when the container is deleted. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2019-06-15T01:21:29", "type": "fedora", "title": "[SECURITY] Fedora 29 Update: containernetworking-plugins-0.7.5-1.fc29", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-9946"], "modified": "2019-06-15T01:21:29", "id": "FEDORA:876A7621D66E", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SGOOWAELGH3F7OXRBPH3HCNZELNLXYTW/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "ubuntucve": [{"lastseen": "2022-01-22T11:45:15", "description": "Cloud Native Computing Foundation (CNCF) CNI (Container Networking\nInterface) 0.7.4 has a network firewall misconfiguration which affects\nKubernetes. The CNI 'portmap' plugin, used to setup HostPorts for CNI,\ninserts rules at the front of the iptables nat chains; which take\nprecedence over the KUBE- SERVICES chain. Because of this, the\nHostPort/portmap rule could match incoming traffic even if there were\nbetter fitting, more specific service definition rules like NodePorts later\nin the chain. The issue is fixed in CNI 0.7.5 and Kubernetes 1.11.9,\n1.12.7, 1.13.5, and 1.14.0.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2019-04-02T00:00:00", "type": "ubuntucve", "title": "CVE-2019-9946", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-9946"], "modified": "2019-04-02T00:00:00", "id": "UB:CVE-2019-9946", "href": "https://ubuntu.com/security/CVE-2019-9946", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "cve": [{"lastseen": "2022-03-24T01:10:32", "description": "Cloud Native Computing Foundation (CNCF) CNI (Container Networking Interface) 0.7.4 has a network firewall misconfiguration which affects Kubernetes. The CNI 'portmap' plugin, used to setup HostPorts for CNI, inserts rules at the front of the iptables nat chains; which take precedence over the KUBE- SERVICES chain. Because of this, the HostPort/portmap rule could match incoming traffic even if there were better fitting, more specific service definition rules like NodePorts later in the chain. The issue is fixed in CNI 0.7.5 and Kubernetes 1.11.9, 1.12.7, 1.13.5, and 1.14.0.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2019-04-02T18:30:00", "type": "cve", "title": "CVE-2019-9946", "cwe": ["CWE-670"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-9946"], "modified": "2020-08-24T17:37:00", "cpe": ["cpe:/a:kubernetes:kubernetes:1.14.0", "cpe:/a:netapp:cloud_insights:-", "cpe:/a:kubernetes:kubernetes:1.13.6"], "id": "CVE-2019-9946", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-9946", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:kubernetes:kubernetes:1.14.0:beta1:*:*:*:*:*:*", "cpe:2.3:a:netapp:cloud_insights:-:*:*:*:*:*:*:*", "cpe:2.3:a:kubernetes:kubernetes:1.14.0:alpha1:*:*:*:*:*:*", "cpe:2.3:a:kubernetes:kubernetes:1.14.0:alpha0:*:*:*:*:*:*", "cpe:2.3:a:kubernetes:kubernetes:1.13.6:beta0:*:*:*:*:*:*", "cpe:2.3:a:kubernetes:kubernetes:1.14.0:beta0:*:*:*:*:*:*", "cpe:2.3:a:kubernetes:kubernetes:1.14.0:alpha2:*:*:*:*:*:*", "cpe:2.3:a:kubernetes:kubernetes:1.14.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:kubernetes:kubernetes:1.14.0:alpha3:*:*:*:*:*:*", "cpe:2.3:a:kubernetes:kubernetes:1.14.0:beta2:*:*:*:*:*:*"]}], "redhatcve": [{"lastseen": "2022-06-08T11:22:54", "description": "Cloud Native Computing Foundation (CNCF) CNI (Container Networking Interface) 0.7.4 has a network firewall misconfiguration which affects Kubernetes. The CNI 'portmap' plugin, used to setup HostPorts for CNI, inserts rules at the front of the iptables nat chains; which take precedence over the KUBE- SERVICES chain. Because of this, the HostPort/portmap rule could match incoming traffic even if there were better fitting, more specific service definition rules like NodePorts later in the chain. The issue is fixed in CNI 0.7.5 and Kubernetes 1.11.9, 1.12.7, 1.13.5, and 1.14.0.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-04-02T14:08:46", "type": "redhatcve", "title": "CVE-2019-9946", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-9946"], "modified": "2022-06-08T05:59:27", "id": "RH:CVE-2019-9946", "href": "https://access.redhat.com/security/cve/cve-2019-9946", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "openvas": [{"lastseen": "2019-06-21T12:42:36", "description": "The remote host is missing an update for the\n ", "cvss3": {}, "published": "2019-06-15T00:00:00", "type": "openvas", "title": "Fedora Update for containernetworking-plugins FEDORA-2019-24217abfdf", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-9946"], "modified": "2019-06-20T00:00:00", "id": "OPENVAS:1361412562310876503", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310876503", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.876503\");\n script_version(\"2019-06-20T06:01:12+0000\");\n script_cve_id(\"CVE-2019-9946\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-06-20 06:01:12 +0000 (Thu, 20 Jun 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-06-15 02:10:02 +0000 (Sat, 15 Jun 2019)\");\n script_name(\"Fedora Update for containernetworking-plugins FEDORA-2019-24217abfdf\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC29\");\n\n script_xref(name:\"FEDORA\", value:\"2019-24217abfdf\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGOOWAELGH3F7OXRBPH3HCNZELNLXYTW\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the\n 'containernetworking-plugins' package(s) announced via the FEDORA-2019-24217abfdf\n advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is\n present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The CNI (Container Network Interface) project\n consists of a specification and libraries for writing plugins to configure\n network interfaces in Linux containers, along with a number of supported plugins.\n CNI concerns itself only with network connectivity of containers and removing\n allocated resources when the container is deleted.\");\n\n script_tag(name:\"affected\", value:\"'containernetworking-plugins' package(s) on Fedora 29.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC29\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"containernetworking-plugins\", rpm:\"containernetworking-plugins~0.7.5~1.fc29\", rls:\"FC29\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-06-14T12:42:48", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-06-13T00:00:00", "type": "openvas", "title": "Fedora Update for containernetworking-plugins FEDORA-2019-d2b57d3b19", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-9946"], "modified": "2019-06-13T00:00:00", "id": "OPENVAS:1361412562310876480", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310876480", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.876480\");\n script_version(\"2019-06-13T11:51:34+0000\");\n script_cve_id(\"CVE-2019-9946\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-06-13 11:51:34 +0000 (Thu, 13 Jun 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-06-13 02:13:08 +0000 (Thu, 13 Jun 2019)\");\n script_name(\"Fedora Update for containernetworking-plugins FEDORA-2019-d2b57d3b19\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC30\");\n\n script_xref(name:\"FEDORA\", value:\"2019-d2b57d3b19\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FCN66VYB3XS76SYH567SO7N3I254JOCT\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'containernetworking-plugins'\n package(s) announced via the FEDORA-2019-d2b57d3b19 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The CNI (Container Network Interface) project consists of a specification\nand libraries for writing plugins to configure network interfaces in Linux\ncontainers, along with a number of supported plugins. CNI concerns itself\nonly with network connectivity of containers and removing allocated resources\nwhen the container is deleted.\");\n\n script_tag(name:\"affected\", value:\"'containernetworking-plugins' package(s) on Fedora 30.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC30\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"containernetworking-plugins\", rpm:\"containernetworking-plugins~0.7.5~1.fc30\", rls:\"FC30\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "nessus": [{"lastseen": "2021-10-16T00:28:46", "description": "Resolves: #1715758 - CVE-2019-9946\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}, "published": "2019-06-13T00:00:00", "type": "nessus", "title": "Fedora 30 : containernetworking-plugins (2019-d2b57d3b19)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-9946"], "modified": "2020-01-10T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:containernetworking-plugins", "cpe:/o:fedoraproject:fedora:30"], "id": "FEDORA_2019-D2B57D3B19.NASL", "href": "https://www.tenable.com/plugins/nessus/125867", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2019-d2b57d3b19.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(125867);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2020/01/10\");\n\n script_cve_id(\"CVE-2019-9946\");\n script_xref(name:\"FEDORA\", value:\"2019-d2b57d3b19\");\n\n script_name(english:\"Fedora 30 : containernetworking-plugins (2019-d2b57d3b19)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Resolves: #1715758 - CVE-2019-9946\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2019-d2b57d3b19\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected containernetworking-plugins package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:containernetworking-plugins\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:30\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/04/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/06/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/06/13\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^30([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 30\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC30\", reference:\"containernetworking-plugins-0.7.5-1.fc30\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"containernetworking-plugins\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-10-16T00:30:18", "description": "An update of the kubernetes package has been released.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}, "published": "2019-05-14T00:00:00", "type": "nessus", "title": "Photon OS 2.0: Kubernetes PHSA-2019-2.0-0148", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-9946"], "modified": "2020-01-16T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:kubernetes", "cpe:/o:vmware:photonos:2.0"], "id": "PHOTONOS_PHSA-2019-2_0-0148_KUBERNETES.NASL", "href": "https://www.tenable.com/plugins/nessus/124861", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2019-2.0-0148. The text\n# itself is copyright (C) VMware, Inc.\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(124861);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2020/01/16\");\n\n script_cve_id(\"CVE-2019-9946\");\n\n script_name(english:\"Photon OS 2.0: Kubernetes PHSA-2019-2.0-0148\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the kubernetes package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-2-148.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-9946\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/04/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/04/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:kubernetes\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:2.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 2.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"kubernetes-1.11.9-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"kubernetes-debuginfo-1.11.9-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"kubernetes-kubeadm-1.11.9-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"kubernetes-kubectl-extras-1.11.9-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"kubernetes-pause-1.11.9-1.ph2\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kubernetes\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-10-16T00:29:02", "description": "Resolves: #1715758 - CVE-2019-9946\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}, "published": "2019-06-17T00:00:00", "type": "nessus", "title": "Fedora 29 : containernetworking-plugins (2019-24217abfdf)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-9946"], "modified": "2020-01-10T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:containernetworking-plugins", "cpe:/o:fedoraproject:fedora:29"], "id": "FEDORA_2019-24217ABFDF.NASL", "href": "https://www.tenable.com/plugins/nessus/125932", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2019-24217abfdf.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(125932);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2020/01/10\");\n\n script_cve_id(\"CVE-2019-9946\");\n script_xref(name:\"FEDORA\", value:\"2019-24217abfdf\");\n\n script_name(english:\"Fedora 29 : containernetworking-plugins (2019-24217abfdf)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Resolves: #1715758 - CVE-2019-9946\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2019-24217abfdf\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected containernetworking-plugins package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:containernetworking-plugins\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:29\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/04/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/06/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/06/17\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^29([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 29\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC29\", reference:\"containernetworking-plugins-0.7.5-1.fc29\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"containernetworking-plugins\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "ibm": [{"lastseen": "2022-06-28T22:13:22", "description": "## Summary\n\nIBM API Connect has addressed the following vulnerability.\n\n## Vulnerability Details\n\n**CVEID: **[CVE-2019-9946](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9946>) \n**DESCRIPTION: **Kubernetes could provide weaker than expected security, caused by an interaction when paired with the embedded CNI (Container Networking Interface) that uses the portmap plugin. The portmap plugin inserts rules at the front of the iptables nat chains which would take precedence over the KUBE- SERVICES chain. The HostPort/portmap rule allows for matching of incoming traffic even if there are better fitting. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/158803> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n\n\n## Affected Products and Versions\n\nAffected IBM API Management | Affected Versions \n---|--- \nIBM API Connect | 2018.1-2018.4.1.4 \n \n## Remediation/Fixes\n\nAffected releases | Fixed in VRMF | APAR | Remediation / First Fix \n---|---|---|--- \nIBM API Connect V2018.1-2018.4.1.4 | 2018.4.1.5 fixpack | \n\nLI80824\n\n| \n\nAddressed in IBM API Connect v2018.4.1.5 fixpack.\n\nAll components are impacted.\n\nFollow this link and find the appropriate .ova images for 2018.4.1.5.\n\n[http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+API+Connect&release=2018.4.1.4&platform=All&function=all&source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+API+Connect&release=2018.4.1.4&platform=All&function=all&source=fc>) \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n# [IBM API Connect Support Lifecycle Policy](<https://www-01.ibm.com/support/docview.wss?uid=swg22006450>)\n\n## Change History\n\nMay 19, 2019: Original bulletin published\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud & Data Platform\"},\"Product\":{\"code\":\"SSMNED\",\"label\":\"IBM API Connect\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF032\",\"label\":\"VM\"}],\"Version\":\"2018.1-2018.4.1.4\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2019-05-19T14:50:01", "type": "ibm", "title": "Security Bulletin: API Connect V2018 is impacted by a security degradation vulnerability in Kubernetes (CVE-2019-9946)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-9946"], "modified": "2019-05-19T14:50:01", "id": "777E0F1D8A8E56B6D0CFB45B0525196566E919DF3D286EA08C86551A7771576C", "href": "https://www.ibm.com/support/pages/node/882952", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-06-28T21:59:31", "description": "## Summary\n\nIBM Cloud Kubernetes Service is affected by a CNI security vulnerability which could result in weaker than expected security.\n\n## Vulnerability Details\n\n**CVE-ID: [CVE-2019-9946](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9946>)** \nDescription: Kubernetes could provide weaker than expected security, caused by an interaction when paired with the embedded CNI (Container Networking Interface) that uses the portmap plugin. The portmap plugin inserts rules at the front of the iptables nat chains which would take precedence over the KUBE- SERVICES chain. The HostPort/portmap rule allows for matching of incoming traffic even if there are better fitting, more specific service definition rules like NodePorts later in the chain. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/158803> for more information \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nIBM Cloud Kubernetes Service 1.13.0-1.13.4 \nIBM Cloud Kubernetes Service 1.12.0-1.12.6 \nIBM Cloud Kubernetes Service 1.11.0-1.11.8 \nIBM Cloud Kubernetes Service 1.5-1.10\n\n## Remediation/Fixes\n\nIBM Cloud Kubernetes Service clusters at versions 1.11 and later have been updated to address this vulnerability. To resolve any existing exposure to this vulnerability, you must reboot or update your worker nodes. See [Updating worker nodes](<https://cloud.ibm.com/docs/containers/cs_cluster_update.html#worker_node>) for details on updating worker nodes. To verify your clusters have been updated, use the following IBM Cloud CLI commands to confirm the currently running versions:\n \n \n ibmcloud ks clusters\n ibmcloud ks workers --cluster <cluster name or ID>\n\nIf your master and worker node versions are at one of the following levels or later, you are no longer exposed to this vulnerability:\n\n1.11.9 \n1.12.7 \n1.13.5\n\nIf one or more of your clusters is at version 1.11, 1.12 or 1.13 and has not been automatically updated then use the following IBM Cloud CLI command to complete the update, replacing \"1.##\" with the target version. After the update is complete, you must also reboot or update your worker nodes. See [Updating worker nodes](<https://cloud.ibm.com/docs/containers/cs_cluster_update.html#worker_node>) for details on updating worker nodes.\n \n \n ibmcloud ks cluster-update --cluster <cluster name or ID> --kube-version 1.##\n \n\nCustomers running IBM Cloud Kubernetes Service clusters at version 1.10 must update their affected clusters to version 1.11 or 1.12. Customers running IBM Cloud Kubernetes Service clusters at version 1.7, 1.8 or 1.9 must update first to version 1.10 and then to version 1.11 or 1.12. Please review the [update documentation](<https://cloud.ibm.com/docs/containers?topic=containers-update#update>) for more information.\n\nCustomers running IBM Cloud Kubernetes Service clusters at version 1.5 must create a new cluster and migrate their apps to it.\n\nNote: IBM Cloud Kubernetes Service versions 1.5, 1.7, 1.8 and 1.9 are no longer supported, and version 1.10 is deprecated. See the IBM Cloud Kubernetes Service [Version information and update actions documentation](<https://cloud.ibm.com/docs/containers/cs_versions.html#cs_versions>) for more information about Kubernetes versions and version support policies.\n\n## Monitor IBM Cloud Status for Future Security Bulletins\n\nMonitor the [security notifications](<https://cloud.ibm.com/status?selected=security>) on the IBM Cloud Status page to be advised of future security bulletins.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n<https://discuss.kubernetes.io/t/announce-security-release-of-kubernetes-affecting-certain-network-configurations-with-cni-releases-1-11-9-1-12-7-1-13-5-and-1-14-0-cve-2019-9946/5713>\n\n## Change History\n\n9 April 2019 : Original version published\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSJTBP\",\"label\":\"IBM Cloud Kubernetes Service\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"All Versions\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB21\",\"label\":\"Public Cloud Platform\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2019-04-09T15:50:01", "type": "ibm", "title": "Security Bulletin: IBM Cloud Kubernetes Service is affected by a CNI security vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-9946"], "modified": "2019-04-09T15:50:01", "id": "19D705C6285873D637054C4817061D74BA8B9392E73A64500AFF9B8204BCD264", "href": "https://www.ibm.com/support/pages/node/879585", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-06-28T22:13:16", "description": "## Summary\n\nIBM Cloud Private for Data is affected by multiple security vulnerabilites in Kubernetes which in some cases can allow unauthorized access to the Kubernetes API Server and/or trusted user privilege escalation.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2019-9946](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9946>) \n**DESCRIPTION:** Kubernetes could provide weaker than expected security, caused by an interaction when paired with the embedded CNI (Container Networking Interface) that uses the portmap plugin. The portmap plugin inserts rules at the front of the iptables nat chains which would take precedence over the KUBE- SERVICES chain. The HostPort/portmap rule allows for matching of incoming traffic even if there are better fitting. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/158803> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [CVE-2019-1002101](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1002101>) \n**DESCRIPTION:** Kubernetes could allow a remote attacker to traverse directories on the system, caused by the improper handling of symlinks. By persuading a victim to use the kubectl cp command or the oc cp command with a malicious container, an attacker could replace or delete arbitrary files on the host machine. \nCVSS Base Score: 6.5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/158804> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)\n\n## Affected Products and Versions\n\nIBM Cloud Private for Data 1.2.0\n\nIBM Cloud Private for Data 1.2.1\n\nIBM Cloud Private for Data 2.1.0\n\n## Remediation/Fixes\n\nProduct defect fixes and security updates are only available for the two most recent Continuous Delivery (CD) update packages\n\n * IBM Cloud Private for Data 1.2.1\n * IBM Cloud Private for Data 2.1.0\n\nFor IBM Cloud Private for Data 1.2.1:\n\n * Apply the IBM Cloud Private Fix Pack for IBM Cloud Private V3.1.2 as directed in Security Bulletin <https://www-01.ibm.com/support/docview.wss?uid=ibm10878460>\n\nFor IBM Cloud Private for Data 2.1.0\n\n * Apply the IBM Cloud Private Fix Pack for IBM Cloud Private V3.1.2 as directed in Security Bulletin <https://www-01.ibm.com/support/docview.wss?uid=ibm10878460>\n\nFor IBM Cloud Private for Data 1.1.x\n\n * Upgrade to the latest Continuous Delivery release IBM Cloud Private for Data 2.1.0 and apply this fix patch.\n * If required, individual product fixes can be made available between CD update packages for resolution of problems. Contact IBM Support for assistance\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n07 June 2019: Original Version Published \n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSHGYS\",\"label\":\"IBM Cloud Pak for Data\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"All Versions\",\"Edition\":\"1.2.0, 1.2.1, 2.1.0\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2019-10-03T22:50:40", "type": "ibm", "title": "Security Bulletin: IBM Cloud Private for Data is affected multiple security vulnerabilities in IBM Cloud Private Kubernetes", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-1002101", "CVE-2019-9946"], "modified": "2019-10-03T22:50:40", "id": "B99FE653A9AE0763E6DFAA942F58E9D4A12C26AAFC9C59A49585A65B29261118", "href": "https://www.ibm.com/support/pages/node/886609", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2022-06-28T22:02:28", "description": "## Summary\n\nMultiple Security Vulnerabilities affect IBM Cloud Private Kubernetes\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2019-4119](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-4119>) \n**DESCRIPTION:** IBM Cloud Private Kubernetes API server can be used as an HTTP proxy to not only cluster internal but also external target IP addresses. \nCVSS Base Score: 3.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/158145> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [CVE-2019-9946](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9946>) \n**DESCRIPTION:** Kubernetes could provide weaker than expected security, caused by an interaction when paired with the embedded CNI (Container Networking Interface) that uses the portmap plugin. The portmap plugin inserts rules at the front of the iptables nat chains which would take precedence over the KUBE- SERVICES chain. The HostPort/portmap rule allows for matching of incoming traffic even if there are better fitting. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/158803> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [CVE-2019-1002100](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1002100>) \n**DESCRIPTION:** The Kubernetes API server is vulnerable to a denial of service. By sending a specially crafted patch of type \"json-patch\" requests, a remote authenticated attacker could exploit this vulnerability to consume an excessive amount of resources. \nCVSS Base Score: 6.5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/157685> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [CVE-2019-1002101](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1002101>) \n**DESCRIPTION:** Kubernetes could allow a remote attacker to traverse directories on the system, caused by the improper handling of symlinks. By persuading a victim to use the kubectl cp command or the oc cp command with a malicious container, an attacker could replace or delete arbitrary files on the host machine. \nCVSS Base Score: 6.5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/158804> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)\n\n**CVEID:** [CVE-2019-11243](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11243>) \n**DESCRIPTION:** Kubernetes could allow a remote attacker to bypass security restrictions, caused by the failure to effectively clear service account credentials loaded using rest.InClusterConfig() by the rest.AnonymousClientConfig() method. By sending a specially-crafted request, an attacker could exploit this vulnerability to send the loaded service account token with requests. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/160040> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nIBM Cloud Private 2.1.x, 3.1.0, 3.1.1, 3.1.2\n\n## Remediation/Fixes\n\nProduct defect fixes and security updates are only available for the two most recent Continuous Delivery (CD) update packages\n\n * IBM Cloud Private 3.1.2\n * IBM Cloud Private 3.1.1 \n\nFor IBM Cloud Private 3.1.2, apply patch:\n\n * [Kubernetes](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/WebSphere/IBM+Cloud+Private&release=All&platform=All&function=fixId&fixids=icp-3.1.2-build520253-25426&includeSupersedes=0>)\n\nFor IBM Cloud Private 3.1.1, apply patch:\n\n * [Kubernetes](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/WebSphere/IBM+Cloud+Private&release=All&platform=All&function=fixId&fixids=icp-3.1.1-build520169-23722&includeSupersedes=0>)\n\nFor IBM Cloud Private, 2.1.x, 3.1.0:\n\n * Upgrade to the latest Continuous Delivery (CD) update package, IBM Cloud Private 3.2. \n * If required, individual product fixes can be made available between CD update packages for resolution of problems. Contact IBM support for assistance\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n15 May 2019 - Original version published\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud & Data Platform\"},\"Product\":{\"code\":\"SSBS6K\",\"label\":\"IBM Cloud Private\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"All Versions\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-05-15T20:55:02", "type": "ibm", "title": "Security Bulletin: Multiple Security Vulnerabilities affect IBM Cloud Private Kubernetes", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-1002100", "CVE-2019-1002101", "CVE-2019-11243", "CVE-2019-4119", "CVE-2019-9946"], "modified": "2019-05-15T20:55:02", "id": "F4562CCE9E2D6492BBBE44DC195812B000F6C5E4EB138BF0EBD5197AC64B28A3", "href": "https://www.ibm.com/support/pages/node/878460", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}], "cloudfoundry": [{"lastseen": "2022-03-17T16:24:21", "description": "# \n\n## Severity\n\nMedium\n\n## Vendor\n\nCloud Foundry Foundation\n\n## Affected Cloud Foundry Products and Versions\n\n * Cloud Foundry Container Runtime (CFCR) \n * All versions prior to 0.31.0\n\n## Description\n\nA security issue was discovered with interactions between the CNI (Container Networking Interface) portmap plugin versions prior to 0.7.5 and Kubernetes. The CNI portmap plugin is embedded into Kubernetes releases so new releases of Kubernetes are required to fix this issue. The issue is Medium and upgrading to Kubernetes 1.11.9, 1.12.7, 1.13.5, and 1.14.0 is encouraged to fix this issue if this plugin is used in your environment.\n\n## Mitigation\n\nUsers of affected versions should apply the following mitigations or upgrades:\n\n * Releases that have fixed this issue include: \n * CFCR version 0.31.0\n\n## History\n\n2019-04-01: Initial vulnerability report published.\n", "cvss3": {}, "published": "2019-04-01T00:00:00", "type": "cloudfoundry", "title": "CVE-2019-9946: Kubernetes affecting certain network configurations with CNI | Cloud Foundry", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2019-9946"], "modified": "2019-04-01T00:00:00", "id": "CFOUNDRY:BEE2CD02D91B0A686201AF635BD7E6FD", "href": "https://www.cloudfoundry.org/blog/cve-2019-9946/", "cvss": {"score": 0.0, "vector": "NONE"}}], "debiancve": [{"lastseen": "2022-07-04T05:59:20", "description": "Cloud Native Computing Foundation (CNCF) CNI (Container Networking Interface) 0.7.4 has a network firewall misconfiguration which affects Kubernetes. The CNI 'portmap' plugin, used to setup HostPorts for CNI, inserts rules at the front of the iptables nat chains; which take precedence over the KUBE- SERVICES chain. Because of this, the HostPort/portmap rule could match incoming traffic even if there were better fitting, more specific service definition rules like NodePorts later in the chain. The issue is fixed in CNI 0.7.5 and Kubernetes 1.11.9, 1.12.7, 1.13.5, and 1.14.0.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2019-04-02T18:30:00", "type": "debiancve", "title": "CVE-2019-9946", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-9946"], "modified": "2019-04-02T18:30:00", "id": "DEBIANCVE:CVE-2019-9946", "href": "https://security-tracker.debian.org/tracker/CVE-2019-9946", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "hackerone": [{"lastseen": "2021-11-10T15:55:12", "bounty": 1000.0, "description": "This bug report mostly concerns the default CNI plugins (https://github.com/containernetworking/plugins) but I believe affects many K8S clusters.\nBecause the CNI team still doesn\u2019t provide an explicit way to report security bugs, I hope the K8S security team doesn\u2019t mind doing the coordination job again as was done for CVE-2019-9946.\nI understand this is out of scope for this bounty, and I understand if you want to close this report and prefer that I resend it via email to security@kubernetes.io or other.\n\n## Summary:\nIn many K8S network configurations the container network interface is a virtual ethernet link going to the host (veth interface). In this configuration, an attacker able to run a process as root in a container can send and receive arbitrary packets to the host using the CAP_NET_RAW capability (present in default configuration).\n\nIn a K8S cluster with an IPv4 internal network, if IPv6 is not totally disabled on the host (via ipv6.disable=1 on the kernel cmdline), it will be either unconfigured or configured on some interfaces, but it\u2019s pretty likely that ipv6 forwarding is disabled, ie /proc/sys/net/ipv6/conf/*/forwarding == 0. Also by default, /proc/sys/net/ipv6/conf/*/accept_ra == 1. The combination of these 2 sysctls means that the host accepts router advertisements and configure the IPv6 stack using them.\n\nBy sending \u201crogue\u201d router advertisements, an attacker can reconfigure the host to redirect part or all of the IPv6 traffic of the host to the attacker controlled container.\nEven if there was no IPv6 traffic before, if the DNS returns A (IPv4) and AAAA (IPv6) records, many HTTP libraries will try to connect via IPv6 first then fallback to IPv4, giving an opportunity to the attacker to respond.\nIf by chance you also have on the host a vulnerability like last year\u2019s RCE in apt (CVE-2019-3462), you can now escalate to the host.\n\nAs CAP_NET_ADMIN is not present by default in K8S pods, the attacker can\u2019t configure the IPs they want to MitM, they can\u2019t use iptables to NAT or REDIRECT the traffic, and they can\u2019t use IP_TRANSPARENT. The attacker can however still use CAP_NET_RAW and implement a tcp/ip stack in user space.\n\nThis report includes a POC based on smoltcp (https://github.com/smoltcp-rs/smoltcp) that sends router advertisements and implements a dummy HTTP server listening on any IPv6 addresses.\n\nThis vulnerability can easily be fixed by setting accept_ra = 0 by default on any interface managed by CNI / K8S.\n\n## Kubernetes Version:\nReproduced on:\nGKE Cos 1.14.10-gke.17 with native VPC\nGKE Cos 1.16.6-gke.12 with/without native VPC\nGKE Cos + containerd 1.16.6-gke.12 without native VPC\nKubespray k8s 1.17.3 + containerd\n\n\n## Component Version:\nCNI 0.7.5\n\n## Steps To Reproduce:\n\nPlease find attached F748694, a recording of my shell using asciinema (https://github.com/asciinema/asciinema)\n\nThe GKE cluster used was created using the following command:\n`gcloud beta container --project \"copper-frame-263204\" clusters create \"testipv6\" --zone \"us-central1-c\" --no-enable-basic-auth --release-channel \"rapid\" --machine-type \"n1-standard-1\" --image-type \"COS\" --disk-type \"pd-standard\" --disk-size \"100\" --metadata disable-legacy-endpoints=true --scopes \"https://www.googleapis.com/auth/devstorage.read_only\",\"https://www.googleapis.com/auth/logging.write\",\"https://www.googleapis.com/auth/monitoring\",\"https://www.googleapis.com/auth/servicecontrol\",\"https://www.googleapis.com/auth/service.management.readonly\",\"https://www.googleapis.com/auth/trace.append\" --num-nodes \"3\" --enable-stackdriver-kubernetes --no-enable-ip-alias --network \"projects/copper-frame-263204/global/networks/default\" --subnetwork \"projects/copper-frame-263204/regions/us-central1/subnetworks/default\" --no-enable-master-authorized-networks --addons HorizontalPodAutoscaling,HttpLoadBalancing --enable-autoupgrade --enable-autorepair`\n\nThis cluster is created without `--enable-ip-alias` (but the attack also with it)\n\n## Supporting Material/References:\nF748693: rust source code for the POC\nF748694: asciinema recording\n\n## Impact\n\nAn attacker able to run arbitrary code as root inside of a container can MitM part of the host\u2019s traffic. This vulnerability if chained with other vulnerability like last year\u2019s RCE in apt (CVE-2019-3462) could allow to escalate to the host.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-03-15T17:34:18", "type": "hackerone", "title": "Kubernetes: IPv4 only clusters susceptible to MitM attacks via IPv6 rogue router advertisements", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-3462", "CVE-2019-9946"], "modified": "2021-11-07T03:52:50", "id": "H1:819717", "href": "https://hackerone.com/reports/819717", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "oraclelinux": [{"lastseen": "2021-07-30T06:24:36", "description": "[1.9.11-2.5.1]\n- [OLCNE-235] [CVE-2019-9946] portmap inserts rules at the front of the iptables nat chains\n[1.9.11-2.4.1]\n- [CVE-2019-1002101] kubectl fix potential directory traversal\n[1.9.11-2.3.1]\n- [CVE-2019-1002100] Limit the number of operations in a single json patch to be 10,000\n- Fixup kubeadm-setup.sh, kubeadm-registry.sh and image", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2019-04-13T00:00:00", "type": "oraclelinux", "title": "kubernetes security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-1002100", "CVE-2019-1002101", "CVE-2019-9946"], "modified": "2019-04-13T00:00:00", "id": "ELSA-2019-4609", "href": "http://linux.oracle.com/errata/ELSA-2019-4609.html", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2021-07-30T06:24:53", "description": "[1.10.5-2.5.4]\n- [OLCNE-235] [CVE-2019-9946] portmap inserts rules at the front of the iptables nat chains\n[1.10.5-2.4.4]\n- [CVE-2019-1002101] kubectl fix potential directory traversal\n[1.10.5-2.3.4]\n- [CVE-2019-1002100] Limit the number of operations in a single json patch to be 10,000\n- Fixup kubeadm-setup.sh, kubeadm-registry.sh and image", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2019-04-13T00:00:00", "type": "oraclelinux", "title": "kubernetes security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-1002100", "CVE-2019-1002101", "CVE-2019-9946"], "modified": "2019-04-13T00:00:00", "id": "ELSA-2019-4610", "href": "http://linux.oracle.com/errata/ELSA-2019-4610.html", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2021-07-30T06:24:30", "description": "[1.11.3-2.5.2]\n- [OLCNE-235] [CVE-2019-9946] portmap inserts rules at the front of the iptables nat chains\n[1.11.3-2.4.2]\n- [CVE-2019-1002101] kubectl fix potential directory traversal\n[1.11.3-2.3.2]\n- [CVE-2019-1002100] Limit the number of operations in a single json patch to be 10,000", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2019-04-13T00:00:00", "type": "oraclelinux", "title": "kubernetes security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-1002100", "CVE-2019-1002101", "CVE-2019-9946"], "modified": "2019-04-13T00:00:00", "id": "ELSA-2019-4611", "href": "http://linux.oracle.com/errata/ELSA-2019-4611.html", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2021-07-28T14:25:15", "description": "kubernetes\n[1.12.7-1.1.2]\n- [OLCNE-257] fix coredns issue and minor upgrade issue\n[1.12.7-1.1.1]\n- [OLCNE-235] [CVE-2019-9946] portmap inserts rules at the front of the iptables nat chains\n[1.12.7-1.0.1]\n- Add Oracle Build Files For Version v1.12.7\nkubeadm-upgrade\n[0.0.1-1.0.22]\n-- Bump up 1.12.7 version for coredns fix\n[0.0.1-1.0.21]\n-- CVE-2019-9946\n[0.0.1-1.0.20]\n-- CVE-2019-1002101\n[0.0.1-1.0.19]\n-- Bump up 1.12.6 version\n[0.0.1-1.0.18]\n-- OLCNE-201 upgrade from 1.9 to 1.12 fails\n[0.0.1-1.0.17]\n-- Update the Kubernetes version to include the conntrack fix\n[0.0.1-1.0.16]\n-- CVE-2019-1002100\nkubeadm-ha-setup\n[0.0.2-1.0.24]\n- Return stdout and stderr from Run function to allow the caller decided what to display\n[0.0.2-1.0.23]\n- [OLCNE-170] proxy variable is inherited in remote master\n[0.0.2-1.0.22]\n- The Trim function doesn't work for replacing strings\n- Upgrade should use the pause container instead of pause-amd64\n[0.0.2-1.0.21]\n- Include 1.12.7 image and update 1.13 and metric servers info\n[0.0.2-1.0.20]\n- Support new registries and allow for password to have a colon\n[0.0.2-1.0.19]\n- --force flag for full restore\n[0.0.2-1.0.18]\n- Change update help message\n[0.0.2-1.0.17]\n- Change update message, add ha install command and ask for confirmation\n[0.0.2-1.0.16]\n- Change upgrade command name to update\n[0.0.2-1.0.15]\n- Fix upgrade for point release\n[0.0.2-1.0.14]\n- OLCNE-79 Move file.go to config.go\n[0.0.2-1.0.13]\n- OLCNE-144 Feature Flag 1.13 code\n[0.0.2-1.0.12]\n- Add support of upgrading HA master nodes\n[0.0.2-1.0.11]\n- Support deploying Kubernetes version 1.13.2\n[0.0.2-1.0.10]\n- CVE-2018-16875\n[0.0.2-1.0.9]\n- Add timeout to Run() (gitlab issues #3)\n- Rename path to linux-git.us.oracle.com/Kubernetes\n[0.0.2-1.0.8]\n- Remove releases.json dependency\n[0.0.2-1.0.7]\n- Pin dependent kubernetes packages\n[0.0.2-1.0.6]\n- Update deps for kube 1.13\n[0.0.2-1.0.5]\n- Add test runner in makefile and execute it in CI/CD\n[0.0.2-1.0.4]\n- Fix backup path issue again found by Tom Cocozzello\n[0.0.2-1.0.3]\n- [Orabug 29152516] Backup and restore /var/lib/kubelet/kubeadm-flags.env too\n- Cleanup kube-ipvs0 interface too\n- More code cleanup\n- Use map for checking kernel module\n- Fix client joining errors\n- Addressing Tom Cocozzello's review\n- Enabling IPVS in HA\n[0.0.2-1.0.2]\n- Update dashboard image (CVE-2018-18264)\n[0.0.2-1.0.1]\n- Allow Oracle certified addons to be installed via cli\nkubernetes-cni\n[0.6.0-2.2.1]\n- [OLCNE-235] [CVE-2019-9946] portmap inserts rules at the front of the iptables nat chains\nkubernetes-cni-plugins\n[0.7.5-1.0.1.dev]\n- Update to v0.7.5", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2019-04-13T00:00:00", "type": "oraclelinux", "title": "kubernetes kubeadm-upgrade kubeadm-ha-setup security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-16875", "CVE-2018-18264", "CVE-2019-1002100", "CVE-2019-1002101", "CVE-2019-9946"], "modified": "2019-04-13T00:00:00", "id": "ELSA-2019-4593", "href": "http://linux.oracle.com/errata/ELSA-2019-4593.html", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-07-30T06:24:51", "description": "kubernetes\n[1.12.10-1.0.11]\n- [CVE-2019-11254] kube-apiserver Denial of Service vulnerability from malicious YAML payloads\n[1.12.10-1.0.10]\n- [CVE-2019-16276] Kubernetes Vulnerabilities Allow Authentication Bypass, DoS\n[1.12.10-1.0.9]\n- Define rolling update for flannel\n[1.12.10-1.0.8]\n- Modify flannel/dashboard image tags to use images that have the cve fix\n[1.12.10-1.0.7]\n- [CVE-2019-11253] Kubernetes API Server JSON/YAML parsing vulnerable to resource exhaustion attack\n[1.12.10-1.0.6]\n- [CVE-2019-16276] bump golang to 1.12.10\n[1.12.10-1.0.5]\n- added THIRD_PARTY_LICENSES.txt file\n[1.12.10-1.0.4]\n- fix for CVE-2019-11251\n[1.12.10-1.0.3]\n- replacing references to kubernetes-dashboard-amd64 with kubernetes-dashboard\n[1.12.10-1.0.2]\n- Added Oracle specific build files for Kubernetes\nkubeadm-ha-setup\n[0.0.2-1.0.69]\n- [CVE-2019-11254] kube-apiserver Denial of Service vulnerability from malicious YAML payloads\n[0.0.2-1.0.68]\n- Pull image prior to update and fix image repo for addons\n[0.0.2-1.0.67]\n- Bump golang build version\n[0.0.2-1.0.66]\n- [CVE-2019-16276] Support patching flannel/dashboard on upgrade\n[0.0.2-1.0.65]\n- [CVE 2019-16276] Support deploygin 1.12 and 1.13 with CVE patched\n[0.0.2-1.0.64]\n- [CVE-2019-16276] Support patching etcd on upgrade\n[0.0.2-1.0.63]\n- [CVE-2019-16276] while upgrading a cluster patch the coredns image\n[0.0.2-1.0.62]\n- CVE-2019-16276 : Update flannel , etcd coredns and dashboard images.\n[0.0.2-1.0.61]\n- Added Support for 1.13.11 and removed support for 1.13.10\n[0.0.2-1.0.59]\n- Remove Support for 1.14.6\n[0.0.2-1.0.58]\n- Replacing reference to kubernetes-dashboard-amd64 with kubernetes-dashboard\n[0.0.2-1.0.57]\n- Support 1.12.10\n[0.0.2-1.0.56]\n- Support 1.14.6\n[0.0.2-1.0.55]\n- Support 1.13.10\n[0.0.2-1.0.54]\n- Support 1.13.9\n[0.0.2-1.0.53]\n- Mark 1.14 as a developer build\n[0.0.2-1.0.52]\n- Restore fails when trying to restore after a failed update\n[0.0.2-1.0.51]\n- Minor version update doesn't update kubeadm on all master nodes\n[0.0.2-1.0.50]\n- Make k8s 1.14 specific changes\n[0.0.2-1.0.49]\n- Remove 1.10 and 1.11 version since they are incompatable\n[0.0.2-1.0.48]\n- Support deploying 5 master nodes\n[0.0.2-1.0.47]\n- Only update/upgrade the controlplane images if they changed in the Release object\n[0.0.2-1.0.46]\n- Fix version comparison function during upgrade\n[0.0.2-1.0.45]\n- Fix rpm version compare\n- Allow kubernetes updates for patch version\n[0.0.2-1.0.44]\n- Allow assume yes to deploy a single master without the prompt\n[0.0.2-1.0.43]\n- Post cluster creation should check only for master nodes\n[0.0.2-1.0.42]\n- Update keepalived check api server to ensure we are grepping the correct IP\n[0.0.2-1.0.41]\n- Make ha.yaml an optional argument in the cli for single master cluster\n[0.0.2-1.0.40]\n- Add pod cidr default and refactor ha.yaml example\n[0.0.2-1.0.39]\n- Remove features: feature1_13=true from config\n[0.0.2-1.0.38]\n- Default kubernetes version to latest production version\n[0.0.2-1.0.37]\n- Fix keepalived issue when firewalld is disable\n[0.0.2-1.0.36]\n- Default kubernetes version to latest production version\n[0.0.2-1.0.35]\n- Add addons template and config files\n[0.0.2-1.0.34]\n- Enhance tests\n[0.0.2-1.0.33]\n- fix regression of previous firewall fix\n[0.0.2-1.0.32]\n- Fix firewall issues during restore\n[0.0.2-1.0.31]\n- Fix firewall issues\n[0.0.2-1.0.30]\n- Enhance output while validating the system\n[0.0.2-1.0.29]\n- Fix DR in 1.13\n[0.0.2-1.0.28]\n- Fix apiserver_cert_extra_sans for 1.13 clusters\n[0.0.2-1.0.27]\n- Fix update/upgrade output message\n[0.0.2-1.0.26]\n- Fix major upgrade\n[0.0.2-1.0.25]\n- Add registry migration\n[0.0.2-1.0.24]\n- Return stdout and stderr from Run function to allow the caller decided what to display\n[0.0.2-1.0.23]\n- Proxy variable is inherited in remote master\n[0.0.2-1.0.22]\n- The Trim function doesn't work for replacing strings\n- Upgrade should use the pause container instead of pause-amd64\n[0.0.2-1.0.21]\n- Include 1.12.7 image and update 1.13 and metric servers info\n[0.0.2-1.0.20]\n- Support new registries and allow for password to have a colon\n[0.0.2-1.0.19]\n- --force flag for full restore\n[0.0.2-1.0.18]\n- Change update help message\n[0.0.2-1.0.17]\n- Change update message, add ha install command and ask for confirmation\n[0.0.2-1.0.16]\n- Change upgrade command name to update\n[0.0.2-1.0.15]\n- Fix upgrade for point release\n[0.0.2-1.0.14]\n- Move file.go to config.go\n[0.0.2-1.0.13]\n- Feature Flag 1.13 code\n[0.0.2-1.0.12]\n- Add support of upgrading HA master nodes\n[0.0.2-1.0.11]\n- Support deploying Kubernetes version 1.13.2\n[0.0.2-1.0.10]\n- CVE-2018-16875\n[0.0.2-1.0.9]\n- Add timeout to Run() (gitlab issues #3)\n- Rename path to linux-git.us.oracle.com/Kubernetes\n[0.0.2-1.0.8]\n- Remove releases.json dependency\n[0.0.2-1.0.7]\n- Pin dependent kubernetes packages\n[0.0.2-1.0.6]\n- Update deps for kube 1.13\n[0.0.2-1.0.5]\n- Add test runner in makefile and execute it in CI/CD\n[0.0.2-1.0.4]\n- Fix backup path issue again found by Tom Cocozzello\n[0.0.2-1.0.3]\n- [Orabug 29152516] Backup and restore /var/lib/kubelet/kubeadm-flags.env too\n- Cleanup kube-ipvs0 interface too\n- More code cleanup\n- Use map for checking kernel module\n- Fix client joining errors\n- Addressing Tom Cocozzello's review\n- Enabling IPVS in HA\n[0.0.2-1.0.2]\n- Update dashboard image (CVE-2018-18264)\n[0.0.2-1.0.1]\n- Allow Oracle certified addons to be installed via cli\n[0.0.1-2.0.9]\n- Use 'dep ensure' to clean up symlinks in the vendor directory\n[0.0.1-2.0.5]\n- Clean up un-used build scripts\n[0.0.1-2.0.4]\n- Add Makefile for building and testing code\n[0.0.1-2.0.3]\n- Fix file restore issue when it contains './'\n[0.0.1-2.0.2]\n- Resolve the full filepath when '.' is passed in\n- Addressing review by Muminul Islam\n[0.0.1-2.0.1]\n- Remove 'firewall-cmd --reload' as it can hangs OCI\n- Fix some errors reported by Shubham\n- Error out if options is not currently supported in HandleEtcdOps\n- Fix down issue\n- Dump log output to /var/log/kubeadm-ha-setup\n[0.0.1-1.0.37]\n- Fix kubernetes version\n- Include log printing when error occurs\n- Fix client.go regression due to new down function\n[0.0.1-1.0.36]\n- Remove Godeps, using dep for now\n- Check if image is not set before referencing\n- Rename getEtcdConfigV2 to getEtcdConfig\n- Adding down functionality\n- Update ha.yaml file\n[0.0.1-1.0.35]\n- Removing etcd.go\n- Addressing Tom Cocozzello review\n- [Orabug 28977571]\n[0.0.1-1.0.34]\n- Enabling full restore on HA master and single master\n- Cleanup\n- Enable single master backup\n- Double the context request timeout\n- Implement retryable AddMember\n[0.0.1-1.0.33]\n- Modified DR for One node case to use new etcd API\n- Enhanced the helper scripts such that it will error out\n- HealthCheck re-implementation\n[0.0.1-1.0.32]\n- Update dashboard image\n[0.0.1-1.0.31]\n- Needs to be run as a privileged user\n- Enable CoreDNS as default\n[0.0.1-1.0.30]\n- Enable single master setup\n[0.0.1-1.0.29]\n- Redesigned for setting up v1.12 HA clusters\n[0.0.1-1.0.28]\n- Fixes for v1.11\n- Addressing Laszlo Peter review\n- Addressing Daniel Krasinski review\n[0.0.1-1.0.27]\n- Fix build failure\n- Add UPL LICENSE\n- Fix the usage of defer\n- Re-try when docker pull image gets a timeout\n- Refactor SetupCreds()\n- Remove --force flag for restore\n- When something fail, we should lenghten the timeout time\n[0.0.1-1.0.26]\n- When context timed out catch it and print stdout, stderr\n[0.0.1-1.0.25]\n- Check output from docker client and probe for error\n[0.0.1-1.0.24]\n- Properly parse if repo has a special ':' character\n[0.0.1-1.0.23]\n- Checking the total nodes would be better implementation\n- Fixup etcd add member errors\n[0.0.1-1.0.22]\n- Pod count could be >= 20\n- Remove port 30000-32767/tcp check for client node\n- Querying k8s cluster health instead of etcd for backup\n- Cosmestic fix\n- Etcd one node restore problems\n[0.0.1-1.0.21]\n- Check whether repo needs auth even in one node restore case\n- Fixup the restore script\n- docker pull image change in behavior in 18.03\n- Include client side image repo checking too\n- Provide a full repo path for comparison\n- Make kubernetes_developer as the sample repo\n- Use strings.Contains to compare strings\n- Fix README\n- Initial README\n- Include changes in kube.go\n[0.0.1-1.0.20]\n- In OCI LB can takes time to setup properly\n- Fix random string\n- [Orabug 28445064]\n- Replace RunCmdExec() with just Run()\n- Sanity check for # of master\n- Make kubeadm token default to be random\n[0.0.1-1.0.19]\n- Check if docker exec etcd returns Error\n- Check env first before trying to pull image\n- [Orabug 28461826]\n[0.0.1-1.0.18]\n- Fixing LB, kubelet, kubectl-proxy\n- Add a DEBUG flag for more verbose output\n[0.0.1-1.0.17]\n- Don't loop forever in client, make Run() more consistent in master\n- Fixup LB for OCI\n- Add apiserver-bind-port capability\n[0.0.1-1.0.17]\n- Include apiserver_cert_extra_sans and service_cidr\n[0.0.1-1.0.16]\n- Include restoring keepalived for one and full restore\n- For Full Restore we need to first clean up before anything else\n- Clean up DR, make backup check etcd health first\n- Properly clean-up flannel.1 and cni0\n[0.0.1-1.0.15]\n- DR code cleanup\n- Changed permission on the created dir to 0755\n- Fix filename not found error\n[0.0.1-1.0.14]\n- Don't panic()\n- In One node restore case verify the ca.crt MD5SUM\n- Full DR feature\n- Redesign of the DR\n- Include file and its line number for logging\n- Put the binary full path\n- Re-arrange varibles for ssh.go\n- Separate etcd cli to another file (etcd.go)\n- Addition to kubectl cli\n- Check if MyIP for local node is missing/empty\n[0.0.1-1.0.13]\n- Replace binary names\n- Include the ability to re-try master setup\n[0.0.1-1.0.12]\n- Renamed the whole REPO to kubeadm-ha-setup\n- Don't print out more logs as necessary\n[0.0.1-1.0.12]\n- Enhance ssh/sftp code\n[0.0.1-1.0.11]\n- Change the storePath\n- Include keepalived backup and change backup.sh/restore.sh\n[0.0.1-1.0.10]\n- Continuing on the restore part\n- Make the script to query all KUBEDIR directory from a single file\n- Consolidate KUBEDIR\n- Make systemd related file 0644\n[0.0.1-1.0.9]\n- Fixup the hardcoded directory as such we are reading from only limited source\n- Include the Docker API for restore\n- Initial implementation of DR\n[0.0.1-1.0.8]\n- Fixup kubeadm-setup join\n- systemctl enable kubelet\n[0.0.1-1.0.7]\n- Fix LoadBalancer to take care of extra steps\n[0.0.1-1.0.6]\n- Cleanup some stdout\n- Add token field in ha.yaml for ease of automated setup\n[0.0.1-1.0.5]\n- If Loadbalancer is preferred/used\n[0.0.1-1.0.4]\n- Remove goroutine sleep - unnecessary\n- Provides structure to store required files and cert files\n- Fix merge errors\n[0.0.1-1.0.3]\n- Create /run/kubeadm w-w/o --skip\n[0.0.1-1.0.2]\n- NoHA and LoadBalancer\n[0.0.1-1.0.1]\n- Initial build\nkubeadm-upgrade\n[0.0.1-1.0.28]\n-- [CVE-2019-11254] kube-apiserver Denial of Service vulnerability from malicious YAML payloads\n[0.0.1-1.0.27]\n-- [CVE-2019-16276] Kubernetes Vulnerabilities Allow Authentication Bypass, DoS\n[0.0.1-1.0.26]\n-- Create log folder before any log write or error exit [ orabug: 29806186 ]\n[0.0.1-1.0.25]\n-- Enforce exit on errors\n[0.0.1-1.0.24]\n-- Dashboard yaml location was moved in Kubernetes 1.12.7\n[0.0.1-1.0.23]\n-- Detect latest kubernetes version from yum\n[0.0.1-1.0.22]\n-- Bump up 1.12.7 version for coredns fix\n[0.0.1-1.0.21]\n-- CVE-2019-9946\n[0.0.1-1.0.20]\n-- CVE-2019-1002101\n[0.0.1-1.0.19]\n-- Bump up 1.12.6 version\n[0.0.1-1.0.18]\n-- Upgrade from 1.9 to 1.12 fails\n[0.0.1-1.0.17]\n-- Update the Kubernetes version to include the conntrack fix\n[0.0.1-1.0.16]\n-- CVE-2019-1002100\n[0.0.1-1.0.15]\n-- CVE-2018-1002105\n[0.0.1-1.0.14]\n-- Fix kube version for 1.10.5\n[0.0.1-1.0.13]\n-- Updating 1.10 and 1.11 version for CVE fixes\n-- Include flannel and dashboard upgrade\n[0.0.1-1.0.12]\n-- Upgrade to 1.12.5-2.1.1\n[0.0.1-1.0.11]\n-- Upgrade to 1.12.5\n[0.0.1-1.0.10]\n-- Add license info to the script\n[0.0.1-1.0.9]\n-- Add license file\n[0.0.1-1.0.8]\n-- Fix the bug on number of CPU checking\n[0.0.1-1.0.7]\n-- Use install instead of update for a specifc 1.12 version\n[0.0.1-1.0.6]\n-- Upgrade cluster to 1.12.3-* version only\n[0.0.1-1.0.5]\n-- Add exit handler to gather logs on failure\n[0.0.1-1.0.4]\n-- Enhance logging and check return code after kubeadm apply. Checking CPU and Memory of the system\n[0.0.1-1.0.3]\n-- Change REPO_PREFIX to use a single repo, increased timeout during cluster health check\n[0.0.1-1.0.2]\n-- Added comments and fix rpm name\n[0.0.1-1.0.1]\n- Upgrade to 1.12.3", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-04-17T00:00:00", "type": "oraclelinux", "title": "kubernetes kubeadm-ha-setup kubeadm-upgrade security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1002105", "CVE-2018-16875", "CVE-2018-18264", "CVE-2019-1002100", "CVE-2019-1002101", "CVE-2019-11251", "CVE-2019-11253", "CVE-2019-11254", "CVE-2019-16276", "CVE-2019-9946"], "modified": "2020-04-17T00:00:00", "id": "ELSA-2020-5654", "href": "http://linux.oracle.com/errata/ELSA-2020-5654.html", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "redhat": [{"lastseen": "2021-10-19T20:35:38", "description": "The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.\n\nSecurity Fix(es):\n\n* QEMU: slirp: heap buffer overflow during packet reassembly (CVE-2019-14378)\n\n* containers/image: not enforcing TLS when sending username+password credentials to token servers leading to credential disclosure (CVE-2019-10214)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 8.1 Release Notes linked from the References section.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-11-05T17:41:57", "type": "redhat", "title": "(RHSA-2019:3403) Important: container-tools:rhel8 security, bug fix, and enhancement update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10214", "CVE-2019-14378", "CVE-2019-9946"], "modified": "2021-02-02T08:06:31", "id": "RHSA-2019:3403", "href": "https://access.redhat.com/errata/RHSA-2019:3403", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}]}
[SECURITY] Fedora 30 Update: containernetworking-plugins-0.7.5-1.fc30
