Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
kubernetes kubernetes |
||
oracle communications cloud native core network slice selection function 1.2.1 |
||
oracle communications cloud native core service communication proxy 1.14.0 |
||
oracle communications cloud native core policy 1.15.0 |
Light load from Redmond as everyone else seeks to bury bad news, sorry, align in update cadence
Patch Tuesday For December's Patch Tuesday bug bonanza, Microsoft handed out fixes for a mere 58 vulnerabilities while various other orgs addressed shortcomings in their own software in separate, parallel announcements. On the one hand, vendors glommed to Microsoft's Patch Tuesday on the pretense that users and system administrators could plan their patching around a regular, monthly cadence. On the other hand, it lets developers emit all their bad news at once and ideally avoid headlines specif...