Vulnerability Details : CVE-2019-9946
Cloud Native Computing Foundation (CNCF) CNI (Container Networking Interface) 0.7.4 has a network firewall misconfiguration which affects Kubernetes. The CNI 'portmap' plugin, used to setup HostPorts for CNI, inserts rules at the front of the iptables nat chains; which take precedence over the KUBE- SERVICES chain. Because of this, the HostPort/portmap rule could match incoming traffic even if there were better fitting, more specific service definition rules like NodePorts later in the chain. The issue is fixed in CNI 0.7.5 and Kubernetes 1.11.9, 1.12.7, 1.13.5, and 1.14.0.
Products affected by CVE-2019-9946
- cpe:2.3:a:netapp:cloud_insights:-:*:*:*:*:*:*:*
- cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*
- cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*
- cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*
- cpe:2.3:a:kubernetes:kubernetes:1.14.0:alpha0:*:*:*:*:*:*
- cpe:2.3:a:kubernetes:kubernetes:1.14.0:alpha1:*:*:*:*:*:*
- cpe:2.3:a:kubernetes:kubernetes:1.14.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:kubernetes:kubernetes:1.14.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:kubernetes:kubernetes:1.14.0:alpha2:*:*:*:*:*:*
- cpe:2.3:a:kubernetes:kubernetes:1.14.0:alpha3:*:*:*:*:*:*
- cpe:2.3:a:kubernetes:kubernetes:1.14.0:beta0:*:*:*:*:*:*
- cpe:2.3:a:kubernetes:kubernetes:1.13.6:beta0:*:*:*:*:*:*
- cpe:2.3:a:kubernetes:kubernetes:1.14.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:cncf:portmap:*:*:*:*:*:container_networking_interface:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-9946
0.37%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 56 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-9946
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST | |
|
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2019-9946
-
The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-9946
-
https://access.redhat.com/errata/RHBA-2019:0862
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SGOOWAELGH3F7OXRBPH3HCNZELNLXYTW/
-
https://github.com/containernetworking/plugins/pull/269#issuecomment-477683272
Portmap: append, rather than prepend, entry rules - CVE-2019-9946 by squeed · Pull Request #269 · containernetworking/plugins · GitHubPatch;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FCN66VYB3XS76SYH567SO7N3I254JOCT/
[SECURITY] Fedora 30 Update: containernetworking-plugins-0.7.5-1.fc30 - package-announce - Fedora Mailing-Lists
-
https://security.netapp.com/advisory/ntap-20190416-0002/
April 2019 Kubernetes Vulnerabilities in NetApp Products | NetApp Product SecurityPatch;Third Party Advisory
Jump to