Fixes available for CVE-2019-9946
A vulnerability has been discovered in the “portmap” CNI plugin affecting versions prior to 0.7.5 of the portmap plugin. Portmap is a kubernetes component but is bundled in Tigera Calico & Tigera Secure releases. We also recommend you update to a patched version of Kubernetes to ensure the vulnerable plugin is not in use.
Prior to the fix, HostPort rules would take precedence over more specific services like NodePorts, potentially delivering traffic to the wrong location.
- All Tigera Secure Enterprise Edition releases up to and including the following patch releases in their respective minor release streams: v2.3.0, v2.2.3, v2.1.1.
- All Calico releases up to and including the following patch releases in their respective minor release streams: v3.2.6, v3.3.5, v3.4.3, v3.5.3, v3.6.0.
- All Calico releases in release streams v3.1.x and earlier
Tigera Secure Cloud Edition is not directly affected, but operators are strongly cautioned to consider whether their Kubernetes platform is affected and update to a fixed version of Kubernetes.
Indicators of Impact/Compromise
Audit your Kubernetes cluster for any pods with hostPorts that conflict numerically with any nodePorts. Conflicts indicate that some traffic may be being misdirected.
Workaround / Remediation
We recommend that all users upgrade to a fixed version of Tigera Calico/Tigera Secure and a fixed version of Kubernetes.
If you cannot update to a fixed version, you can manually install a fixed portmap binary on each Kubernetes node. You will also need to configure Tigera Calico/Tigera Secure not to install the portmap binary by setting the environment variable SKIP_CNI_BINARIES=”portmap” on the install-cni container.
If neither upgrading nor manually installing a fixed portmap binary is possible, you can proactively audit your Kubernetes cluster to ensure that pods are not being created with hostPorts that numerically conflict with nodePorts, and immediately remediate any pod hostPorts that conflict.
This issue has been fixed in the following patches:
- Calico v3.2.7
- Calico v3.3.6
- Calico v3.4.4
- Calico v3.5.4
- Calico v3.6.1
- Tigera Secure Enterprise Edition 2.3.1
Return to List