Security Bulletins

Fixes available for CVE-2019-9946

Return to List


Fixes available for CVE-2019-9946

Reference: TTA-2019-001
Date published: 2019-March-28




A vulnerability has been discovered in the “portmap” CNI plugin affecting versions prior to 0.7.5 of the portmap plugin. Portmap is a kubernetes component but is bundled in Tigera Calico & Tigera Secure releases. We also recommend you update to a patched version of Kubernetes to ensure the vulnerable plugin is not in use.

Prior to the fix, HostPort rules would take precedence over more specific services like NodePorts, potentially delivering traffic to the wrong location.


Affected Releases

  • All Tigera Secure Enterprise Edition releases up to and including the following patch releases in their respective minor release streams: v2.3.0, v2.2.3, v2.1.1.
  • All Calico releases up to and including the following patch releases in their respective minor release streams: v3.2.6, v3.3.5, v3.4.3, v3.5.3, v3.6.0.
  • All Calico releases in release streams v3.1.x and earlier

Tigera Secure Cloud Edition is not directly affected, but operators are strongly cautioned to consider whether their Kubernetes platform is affected and update to a fixed version of Kubernetes.


Indicators of Impact/Compromise

Audit your Kubernetes cluster for any pods with hostPorts that conflict numerically with any nodePorts. Conflicts indicate that some traffic may be being misdirected.


Workaround / Remediation

We recommend that all users upgrade to a fixed version of Tigera Calico/Tigera Secure and a fixed version of Kubernetes.

If you cannot update to a fixed version, you can manually install a fixed portmap binary on each Kubernetes node. You will also need to configure Tigera Calico/Tigera Secure not to install the portmap binary by setting the environment variable SKIP_CNI_BINARIES=”portmap” on the install-cni container.

If neither upgrading nor manually installing a fixed portmap binary is possible, you can proactively audit your Kubernetes cluster to ensure that pods are not being created with hostPorts that numerically conflict with nodePorts, and immediately remediate any pod hostPorts that conflict.


Fixed Software

This issue has been fixed in the following patches:

Tigera Software

  • Calico v3.2.7
  • Calico v3.3.6
  • Calico v3.4.4
  • Calico v3.5.4
  • Calico v3.6.1
  • Tigera Secure Enterprise Edition 2.3.1

Kubernetes Software

  • 1.11.9
  • 1.12.7
  • 1.13.5
  • 1.14.0


External Reference
Return to List