CVE-2020-8554

moderate-risk

Published 2021-01-21

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.

Do I need to act?

24.8% chance of exploitation in next 30 days

EPSS score — higher than 75% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.3/10 Medium

NETWORK / LOW complexity

Affected Products (4)

Kubernetes

Communications Cloud Native Core Network Slice Selection Function

Communications Cloud Native Core Policy

Communications Cloud Native Core Service Communication Proxy

Affected Vendors

Oracle Kubernetes

References (18)

Exploit https://github.com/kubernetes/kubernetes/issues/97076

Mailing List https://groups.google.com/g/kubernetes-security-announce/c/iZWsF9nbKE8

https://lists.apache.org/thread.html/r0c76b3d0be348f788cd947054141de0229af00c540...

https://lists.apache.org/thread.html/r1975078e44d96f2a199aa90aa874b57a202eaf7f25...

https://lists.apache.org/thread.html/rcafa485d63550657f068775801aeb706b7a07140a8...

https://lists.apache.org/thread.html/rdb223e1b82e3d7d8e4eaddce8dd1ab87252e3935cc...

Patch https://www.oracle.com//security-alerts/cpujul2021.html

Patch https://www.oracle.com/security-alerts/cpuapr2022.html

Patch https://www.oracle.com/security-alerts/cpujan2022.html