rhba-2019_0862
Vulnerability from csaf_redhat
Published
2019-04-23 17:40
Modified
2024-11-05 15:53
Summary
Red Hat Bug Fix Advisory: containernetworking-plugins bug fix and enhancement update

Notes

Topic
An updated containernetworking-plugins package that fixes several bugs and adds various enhancements is now available for Red Hat Enterprise Linux 7 Extras.
Details
The Container Network Interface (CNI) project consists of a specification and libraries for writing plug-ins for configuring network interfaces in Linux containers, along with a number of supported plug-ins. CNI concerns itself only with network connectivity of containers and removing allocated resources when the container is deleted. Users of containernetworking-plugins are advised to upgrade to this updated package, which fixes these bugs and add these enhancements.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.



{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An updated containernetworking-plugins package that fixes several bugs and adds various enhancements is now available for Red Hat Enterprise Linux 7 Extras.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "The Container Network Interface (CNI) project consists of a specification and libraries for writing plug-ins for configuring network interfaces in Linux containers, along with a number of supported plug-ins. CNI concerns itself only with network connectivity of containers and removing allocated resources when the container is deleted.\n\nUsers of containernetworking-plugins are advised to upgrade to this updated package, which fixes these bugs and add these enhancements.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHBA-2019:0862",
        "url": "https://access.redhat.com/errata/RHBA-2019:0862"
      },
      {
        "category": "external",
        "summary": "1693406",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1693406"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhba-2019_0862.json"
      }
    ],
    "title": "Red Hat Bug Fix Advisory: containernetworking-plugins bug fix and enhancement update",
    "tracking": {
      "current_release_date": "2024-11-05T15:53:09+00:00",
      "generator": {
        "date": "2024-11-05T15:53:09+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.1.1"
        }
      },
      "id": "RHBA-2019:0862",
      "initial_release_date": "2019-04-23T17:40:38+00:00",
      "revision_history": [
        {
          "date": "2019-04-23T17:40:38+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2019-04-23T17:40:38+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-05T15:53:09+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux 7 Extras",
                "product": {
                  "name": "Red Hat Enterprise Linux 7 Extras",
                  "product_id": "7Server-EXTRAS-7.6",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:rhel_extras_other:7"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Enterprise Linux Extras"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "containernetworking-plugins-debuginfo-0:0.7.5-2.el7.aarch64",
                "product": {
                  "name": "containernetworking-plugins-debuginfo-0:0.7.5-2.el7.aarch64",
                  "product_id": "containernetworking-plugins-debuginfo-0:0.7.5-2.el7.aarch64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/containernetworking-plugins-debuginfo@0.7.5-2.el7?arch=aarch64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "containernetworking-plugins-0:0.7.5-2.el7.aarch64",
                "product": {
                  "name": "containernetworking-plugins-0:0.7.5-2.el7.aarch64",
                  "product_id": "containernetworking-plugins-0:0.7.5-2.el7.aarch64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/containernetworking-plugins@0.7.5-2.el7?arch=aarch64"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "containernetworking-plugins-debuginfo-0:0.7.5-2.el7.x86_64",
                "product": {
                  "name": "containernetworking-plugins-debuginfo-0:0.7.5-2.el7.x86_64",
                  "product_id": "containernetworking-plugins-debuginfo-0:0.7.5-2.el7.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/containernetworking-plugins-debuginfo@0.7.5-2.el7?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "containernetworking-plugins-0:0.7.5-2.el7.x86_64",
                "product": {
                  "name": "containernetworking-plugins-0:0.7.5-2.el7.x86_64",
                  "product_id": "containernetworking-plugins-0:0.7.5-2.el7.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/containernetworking-plugins@0.7.5-2.el7?arch=x86_64"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "containernetworking-plugins-debuginfo-0:0.7.5-2.el7.s390x",
                "product": {
                  "name": "containernetworking-plugins-debuginfo-0:0.7.5-2.el7.s390x",
                  "product_id": "containernetworking-plugins-debuginfo-0:0.7.5-2.el7.s390x",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/containernetworking-plugins-debuginfo@0.7.5-2.el7?arch=s390x"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "containernetworking-plugins-0:0.7.5-2.el7.s390x",
                "product": {
                  "name": "containernetworking-plugins-0:0.7.5-2.el7.s390x",
                  "product_id": "containernetworking-plugins-0:0.7.5-2.el7.s390x",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/containernetworking-plugins@0.7.5-2.el7?arch=s390x"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "containernetworking-plugins-debuginfo-0:0.7.5-2.el7.ppc64le",
                "product": {
                  "name": "containernetworking-plugins-debuginfo-0:0.7.5-2.el7.ppc64le",
                  "product_id": "containernetworking-plugins-debuginfo-0:0.7.5-2.el7.ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/containernetworking-plugins-debuginfo@0.7.5-2.el7?arch=ppc64le"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "containernetworking-plugins-0:0.7.5-2.el7.ppc64le",
                "product": {
                  "name": "containernetworking-plugins-0:0.7.5-2.el7.ppc64le",
                  "product_id": "containernetworking-plugins-0:0.7.5-2.el7.ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/containernetworking-plugins@0.7.5-2.el7?arch=ppc64le"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "containernetworking-plugins-0:0.7.5-2.el7.src",
                "product": {
                  "name": "containernetworking-plugins-0:0.7.5-2.el7.src",
                  "product_id": "containernetworking-plugins-0:0.7.5-2.el7.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/containernetworking-plugins@0.7.5-2.el7?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "containernetworking-plugins-0:0.7.5-2.el7.aarch64 as a component of Red Hat Enterprise Linux 7 Extras",
          "product_id": "7Server-EXTRAS-7.6:containernetworking-plugins-0:0.7.5-2.el7.aarch64"
        },
        "product_reference": "containernetworking-plugins-0:0.7.5-2.el7.aarch64",
        "relates_to_product_reference": "7Server-EXTRAS-7.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "containernetworking-plugins-0:0.7.5-2.el7.ppc64le as a component of Red Hat Enterprise Linux 7 Extras",
          "product_id": "7Server-EXTRAS-7.6:containernetworking-plugins-0:0.7.5-2.el7.ppc64le"
        },
        "product_reference": "containernetworking-plugins-0:0.7.5-2.el7.ppc64le",
        "relates_to_product_reference": "7Server-EXTRAS-7.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "containernetworking-plugins-0:0.7.5-2.el7.s390x as a component of Red Hat Enterprise Linux 7 Extras",
          "product_id": "7Server-EXTRAS-7.6:containernetworking-plugins-0:0.7.5-2.el7.s390x"
        },
        "product_reference": "containernetworking-plugins-0:0.7.5-2.el7.s390x",
        "relates_to_product_reference": "7Server-EXTRAS-7.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "containernetworking-plugins-0:0.7.5-2.el7.src as a component of Red Hat Enterprise Linux 7 Extras",
          "product_id": "7Server-EXTRAS-7.6:containernetworking-plugins-0:0.7.5-2.el7.src"
        },
        "product_reference": "containernetworking-plugins-0:0.7.5-2.el7.src",
        "relates_to_product_reference": "7Server-EXTRAS-7.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "containernetworking-plugins-0:0.7.5-2.el7.x86_64 as a component of Red Hat Enterprise Linux 7 Extras",
          "product_id": "7Server-EXTRAS-7.6:containernetworking-plugins-0:0.7.5-2.el7.x86_64"
        },
        "product_reference": "containernetworking-plugins-0:0.7.5-2.el7.x86_64",
        "relates_to_product_reference": "7Server-EXTRAS-7.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "containernetworking-plugins-debuginfo-0:0.7.5-2.el7.aarch64 as a component of Red Hat Enterprise Linux 7 Extras",
          "product_id": "7Server-EXTRAS-7.6:containernetworking-plugins-debuginfo-0:0.7.5-2.el7.aarch64"
        },
        "product_reference": "containernetworking-plugins-debuginfo-0:0.7.5-2.el7.aarch64",
        "relates_to_product_reference": "7Server-EXTRAS-7.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "containernetworking-plugins-debuginfo-0:0.7.5-2.el7.ppc64le as a component of Red Hat Enterprise Linux 7 Extras",
          "product_id": "7Server-EXTRAS-7.6:containernetworking-plugins-debuginfo-0:0.7.5-2.el7.ppc64le"
        },
        "product_reference": "containernetworking-plugins-debuginfo-0:0.7.5-2.el7.ppc64le",
        "relates_to_product_reference": "7Server-EXTRAS-7.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "containernetworking-plugins-debuginfo-0:0.7.5-2.el7.s390x as a component of Red Hat Enterprise Linux 7 Extras",
          "product_id": "7Server-EXTRAS-7.6:containernetworking-plugins-debuginfo-0:0.7.5-2.el7.s390x"
        },
        "product_reference": "containernetworking-plugins-debuginfo-0:0.7.5-2.el7.s390x",
        "relates_to_product_reference": "7Server-EXTRAS-7.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "containernetworking-plugins-debuginfo-0:0.7.5-2.el7.x86_64 as a component of Red Hat Enterprise Linux 7 Extras",
          "product_id": "7Server-EXTRAS-7.6:containernetworking-plugins-debuginfo-0:0.7.5-2.el7.x86_64"
        },
        "product_reference": "containernetworking-plugins-debuginfo-0:0.7.5-2.el7.x86_64",
        "relates_to_product_reference": "7Server-EXTRAS-7.6"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2019-9946",
      "cwe": {
        "id": "CWE-841",
        "name": "Improper Enforcement of Behavioral Workflow"
      },
      "discovery_date": "2019-03-25T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1692712"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Cloud Native Computing Foundation (CNCF) CNI (Container Networking Interface) 0.7.4 has a network firewall misconfiguration which affects Kubernetes. The CNI \u0027portmap\u0027 plugin, used to setup HostPorts for CNI, inserts rules at the front of the iptables nat chains; which take precedence over the KUBE- SERVICES chain. Because of this, the HostPort/portmap rule could match incoming traffic even if there were better fitting, more specific service definition rules like NodePorts later in the chain. The issue is fixed in CNI 0.7.5 and Kubernetes 1.11.9, 1.12.7, 1.13.5, and 1.14.0.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "kubernetes: Incorrect rule injection in CNI portmap plugin",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "While this issue affects the CNI portmap plugin that is bundled with Kubernetes, it does not affect OpenShift Container Platform as the vulnerable plugin is not included.\n\nIt also does not affect the version of Kubernetes (embedded in heketi) shipped with Red Hat Gluster Storage 3 as it does not contain the vulnerable code.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "7Server-EXTRAS-7.6:containernetworking-plugins-0:0.7.5-2.el7.aarch64",
          "7Server-EXTRAS-7.6:containernetworking-plugins-0:0.7.5-2.el7.ppc64le",
          "7Server-EXTRAS-7.6:containernetworking-plugins-0:0.7.5-2.el7.s390x",
          "7Server-EXTRAS-7.6:containernetworking-plugins-0:0.7.5-2.el7.src",
          "7Server-EXTRAS-7.6:containernetworking-plugins-0:0.7.5-2.el7.x86_64",
          "7Server-EXTRAS-7.6:containernetworking-plugins-debuginfo-0:0.7.5-2.el7.aarch64",
          "7Server-EXTRAS-7.6:containernetworking-plugins-debuginfo-0:0.7.5-2.el7.ppc64le",
          "7Server-EXTRAS-7.6:containernetworking-plugins-debuginfo-0:0.7.5-2.el7.s390x",
          "7Server-EXTRAS-7.6:containernetworking-plugins-debuginfo-0:0.7.5-2.el7.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2019-9946"
        },
        {
          "category": "external",
          "summary": "RHBZ#1692712",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1692712"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2019-9946",
          "url": "https://www.cve.org/CVERecord?id=CVE-2019-9946"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-9946",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9946"
        },
        {
          "category": "external",
          "summary": "https://discuss.kubernetes.io/t/announce-security-release-of-kubernetes-affecting-certain-network-configurations-with-cni-releases-1-11-9-1-12-7-1-13-5-and-1-14-0-cve-2019-9946/5713",
          "url": "https://discuss.kubernetes.io/t/announce-security-release-of-kubernetes-affecting-certain-network-configurations-with-cni-releases-1-11-9-1-12-7-1-13-5-and-1-14-0-cve-2019-9946/5713"
        }
      ],
      "release_date": "2019-03-28T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2019-04-23T17:40:38+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "7Server-EXTRAS-7.6:containernetworking-plugins-0:0.7.5-2.el7.aarch64",
            "7Server-EXTRAS-7.6:containernetworking-plugins-0:0.7.5-2.el7.ppc64le",
            "7Server-EXTRAS-7.6:containernetworking-plugins-0:0.7.5-2.el7.s390x",
            "7Server-EXTRAS-7.6:containernetworking-plugins-0:0.7.5-2.el7.src",
            "7Server-EXTRAS-7.6:containernetworking-plugins-0:0.7.5-2.el7.x86_64",
            "7Server-EXTRAS-7.6:containernetworking-plugins-debuginfo-0:0.7.5-2.el7.aarch64",
            "7Server-EXTRAS-7.6:containernetworking-plugins-debuginfo-0:0.7.5-2.el7.ppc64le",
            "7Server-EXTRAS-7.6:containernetworking-plugins-debuginfo-0:0.7.5-2.el7.s390x",
            "7Server-EXTRAS-7.6:containernetworking-plugins-debuginfo-0:0.7.5-2.el7.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHBA-2019:0862"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
            "version": "3.0"
          },
          "products": [
            "7Server-EXTRAS-7.6:containernetworking-plugins-0:0.7.5-2.el7.aarch64",
            "7Server-EXTRAS-7.6:containernetworking-plugins-0:0.7.5-2.el7.ppc64le",
            "7Server-EXTRAS-7.6:containernetworking-plugins-0:0.7.5-2.el7.s390x",
            "7Server-EXTRAS-7.6:containernetworking-plugins-0:0.7.5-2.el7.src",
            "7Server-EXTRAS-7.6:containernetworking-plugins-0:0.7.5-2.el7.x86_64",
            "7Server-EXTRAS-7.6:containernetworking-plugins-debuginfo-0:0.7.5-2.el7.aarch64",
            "7Server-EXTRAS-7.6:containernetworking-plugins-debuginfo-0:0.7.5-2.el7.ppc64le",
            "7Server-EXTRAS-7.6:containernetworking-plugins-debuginfo-0:0.7.5-2.el7.s390x",
            "7Server-EXTRAS-7.6:containernetworking-plugins-debuginfo-0:0.7.5-2.el7.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "kubernetes: Incorrect rule injection in CNI portmap plugin"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...
  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.