{
  "threat_severity" : "Low",
  "public_date" : "2021-05-04T00:00:00Z",
  "bugzilla" : {
    "description" : "kubernetes: Bypass of Kubernetes API Server proxy TOCTOU",
    "id" : "1954914",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1954914"
  },
  "cvss3" : {
    "cvss3_base_score" : "2.2",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N",
    "status" : "draft"
  },
  "cwe" : "CWE-367",
  "details" : [ "As mitigations to a report from 2019 and CVE-2020-8555, Kubernetes attempts to prevent proxied connections from accessing link-local or localhost networks when making user-driven connections to Services, Pods, Nodes, or StorageClass service providers. As part of this mitigation Kubernetes does a DNS name resolution check and validates that response IPs are not in the link-local (169.254.0.0/16) or localhost (127.0.0.0/8) range. Kubernetes then performs a second DNS resolution without validation for the actual connection. If a non-standard DNS server returns different non-cached responses, a user may be able to bypass the proxy IP restriction and access private networks on the control plane.", "A security issue was discovered in Kubernetes where an authorized user may be able to access private networks on the Kubernetes control plane components. Kubernetes clusters are only affected if an untrusted user can create or modify Node objects and proxy to them, or an untrusted user can create or modify StorageClass objects and access KubeControllerManager logs." ],
  "acknowledgement" : "Red Hat would like to thank the Kubernetes Product Security Committee for reporting this issue. Upstream acknowledges Javier Provecho (Telefonica) as the original reporter.",
  "package_state" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 3.11",
    "fix_state" : "Fix deferred",
    "package_name" : "atomic-openshift",
    "cpe" : "cpe:/a:redhat:openshift:3.11"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Fix deferred",
    "package_name" : "openshift",
    "cpe" : "cpe:/a:redhat:openshift:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-8562\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-8562\nhttps://groups.google.com/g/kubernetes-security-announce/c/-MFX60_wdOY" ],
  "name" : "CVE-2020-8562",
  "csaw" : false
}