SB2020071556 - Fedora 32 update for origin

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2020071556

SB2020071556 - Fedora 32 update for origin

Published: July 15, 2020 Updated: April 25, 2025

Security Bulletin ID SB2020071556
Severity
High
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 25% Medium 50% Low 25%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 secuirty vulnerabilities.


1) Uncontrolled Memory Allocation (CVE-ID: CVE-2020-8551)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists in the Kubelet component due to improper allocation of memory in the kubelet API, including the unauthenticated HTTP read-only API typically served on port 10255, and the authenticated HTTPS API typically served on port 10250. A remote attacker on the local network can cause a denial of service condition on the target system.


2) Uncontrolled Memory Allocation (CVE-ID: CVE-2020-8552)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists in the Kubernetes API server component due to improper allocation of memory. A remote attacker can send a specially crafted API request and cause a denial of service condition on the target system.


3) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2020-8555)

The vulnerability allows a remote authenticated user to gain access to sensitive information.

The Kubernetes kube-controller-manager in versions v1.0-1.14, versions prior to v1.15.12, v1.16.9, v1.17.5, and version v1.18.0 are vulnerable to a Server Side Request Forgery (SSRF) that allows certain authorized users to leak up to 500 bytes of arbitrary information from unprotected endpoints within the master's host network (such as link-local or loopback services).


4) Use-after-free (CVE-ID: CVE-2020-8945)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error, as demonstrated by use for container image pulls by Docker or CRI-O. A remote attacker can crash the target system, or cause potential code execution for Go applications that use this library under certain conditions during GPG signature verification.


Remediation

Install update from vendor's website.

References