{"containers": {"cna": {"affected": [{"product": "openshift/ovn-kubernetes", "vendor": "n/a", "versions": [{"status": "affected", "version": "All ovn-kubernetes versions up to and including 0.3.0"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in OVN Kubernetes in versions up to and including 0.3.0 where the Egress Firewall does not reliably apply firewall rules when there is multiple DNS rules. It could lead to potentially lose of confidentiality, integrity or availability of a service."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-06-02T15:48:10", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1949188"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T16:53:17.925Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1949188"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2021-3499", "datePublished": "2021-06-02T15:48:10", "dateReserved": "2021-04-14T00:00:00", "dateUpdated": "2024-08-03T16:53:17.925Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ovn:ovn-kubernetes:*:*:*:*:*:*:*:*", "matchCriteriaId": "0CD8D000-5096-4239-B38F-A753F4B5189D", "versionEndIncluding": "0.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in OVN Kubernetes in versions up to and including 0.3.0 where the Egress Firewall does not reliably apply firewall rules when there is multiple DNS rules. It could lead to potentially lose of confidentiality, integrity or availability of a service."}, {"lang": "es", "value": "Se ha encontrado una vulnerabilidad en OVN Kubernetes en las versiones hasta 0.3.0 incluy\u00e9ndola, en la que Egress Firewall no aplica de forma fiable las reglas del firewall cuando se presentan m\u00faltiples reglas DNS. Esto podr\u00eda conllevar una posible p\u00e9rdida de la confidencialidad, integridad o disponibilidad de un servicio"}], "id": "CVE-2021-3499", "lastModified": "2023-02-12T23:41:11.097", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-06-02T16:15:10.320", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1949188"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "secalert@redhat.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"acknowledgement": "This issue was discovered by Michael Swenson (Red Hat).", "affected_release": [{"advisory": "RHBA-2021:1550", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "openshift4/driver-toolkit-rhel8:v4.7.0-202105102252.p0", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-05-19T00:00:00Z"}, {"advisory": "RHBA-2021:1550", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "openshift4/ose-aws-machine-controllers:v4.7.0-202105010012.p0", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-05-19T00:00:00Z"}, {"advisory": "RHBA-2021:1550", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "openshift4/ose-baremetal-installer-rhel8:v4.7.0-202105101449.p0", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-05-19T00:00:00Z"}, {"advisory": "RHBA-2021:1550", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "openshift4/ose-cloud-credential-operator:v4.7.0-202105061841.p0", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-05-19T00:00:00Z"}, {"advisory": "RHBA-2021:1550", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "openshift4/ose-cluster-authentication-operator:v4.7.0-202105061754.p0", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-05-19T00:00:00Z"}, {"advisory": "RHBA-2021:1550", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "openshift4/ose-cluster-config-operator:v4.7.0-202104291920.p0", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-05-19T00:00:00Z"}, {"advisory": "RHBA-2021:1550", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "openshift4/ose-cluster-dns-operator:v4.7.0-202104292145.p0", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-05-19T00:00:00Z"}, {"advisory": "RHBA-2021:1550", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "openshift4/ose-cluster-etcd-rhel8-operator:v4.7.0-202105072257.p0", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-05-19T00:00:00Z"}, {"advisory": "RHBA-2021:1550", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "openshift4/ose-cluster-image-registry-operator:v4.7.0-202104302340.p0", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-05-19T00:00:00Z"}, {"advisory": "RHBA-2021:1550", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "openshift4/ose-cluster-ingress-operator:v4.7.0-202104291920.p0", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-05-19T00:00:00Z"}, {"advisory": "RHBA-2021:1550", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "openshift4/ose-cluster-network-operator:v4.7.0-202105071917.p0", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-05-19T00:00:00Z"}, {"advisory": "RHBA-2021:1550", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "openshift4/ose-cluster-openshift-apiserver-operator:v4.7.0-202105061841.p0", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-05-19T00:00:00Z"}, {"advisory": "RHBA-2021:1550", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "openshift4/ose-cluster-update-keys:v4.7.0-202105060839.p0", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-05-19T00:00:00Z"}, {"advisory": "RHBA-2021:1550", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "openshift4/ose-console:v4.7.0-202105070703.p0", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-05-19T00:00:00Z"}, {"advisory": "RHBA-2021:1550", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "openshift4/ose-docker-builder:v4.7.0-202105060839.p0", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-05-19T00:00:00Z"}, {"advisory": "RHBA-2021:1550", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "openshift4/ose-gcp-pd-csi-driver-operator-rhel8:v4.7.0-202104290851.p0", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-05-19T00:00:00Z"}, {"advisory": "RHBA-2021:1550", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "openshift4/ose-hello-openshift-rhel8:v4.7.0-202105071232.p0", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-05-19T00:00:00Z"}, {"advisory": "RHBA-2021:1550", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "openshift4/ose-hyperkube:v4.7.0-202105091821.p0", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-05-19T00:00:00Z"}, {"advisory": "RHBA-2021:1550", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "openshift4/ose-insights-rhel8-operator:v4.7.0-202105062344.p0", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-05-19T00:00:00Z"}, {"advisory": "RHBA-2021:1550", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "openshift4/ose-installer:v4.7.0-202105101449.p0", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-05-19T00:00:00Z"}, {"advisory": "RHBA-2021:1550", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "openshift4/ose-installer-artifacts:v4.7.0-202105101449.p0", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-05-19T00:00:00Z"}, {"advisory": "RHBA-2021:1550", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "openshift4/ose-ironic-rhel8:v4.7.0-202105111107.p0", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-05-19T00:00:00Z"}, {"advisory": "RHBA-2021:1550", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "openshift4/ose-jenkins:v4.7.0-202105071334.p0", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-05-19T00:00:00Z"}, {"advisory": "RHBA-2021:1550", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "openshift4/ose-jenkins-agent-base:v4.7.0-202105062344.p0", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-05-19T00:00:00Z"}, {"advisory": "RHBA-2021:1550", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "openshift4/ose-jenkins-agent-maven:v4.7.0-202105062344.p0", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-05-19T00:00:00Z"}, {"advisory": "RHBA-2021:1550", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "openshift4/ose-jenkins-agent-nodejs-12-rhel8:v4.7.0-202105062344.p0", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-05-19T00:00:00Z"}, {"advisory": "RHBA-2021:1550", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "openshift4/ose-kuryr-cni-rhel8:v4.7.0-202105111940.p0", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-05-19T00:00:00Z"}, {"advisory": "RHBA-2021:1550", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "openshift4/ose-kuryr-controller-rhel8:v4.7.0-202105111940.p0", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-05-19T00:00:00Z"}, {"advisory": "RHBA-2021:1550", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "openshift4/ose-machine-api-operator:v4.7.0-202105071028.p0", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-05-19T00:00:00Z"}, {"advisory": "RHBA-2021:1550", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "openshift4/ose-machine-config-operator:v4.7.0-202105111858.p0", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-05-19T00:00:00Z"}, {"advisory": "RHBA-2021:1550", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "openshift4/ose-operator-lifecycle-manager:v4.7.0-202104300003.p0", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-05-19T00:00:00Z"}, {"advisory": "RHBA-2021:1550", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "openshift4/ose-operator-registry:v4.7.0-202104292145.p0", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-05-19T00:00:00Z"}, {"advisory": "RHBA-2021:1550", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "openshift4/ose-ovn-kubernetes:v4.7.0-202105071917.p0", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-05-19T00:00:00Z"}, {"advisory": "RHBA-2021:1550", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "openshift4/ose-sdn-rhel8:v4.7.0-202104280847.p0", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-05-19T00:00:00Z"}, {"advisory": "RHBA-2021:1550", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "openshift4/ose-tests:v4.7.0-202105110735.p0", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-05-19T00:00:00Z"}, {"advisory": "RHBA-2021:1550", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "openshift4/ose-thanos-rhel8:v4.7.0-202105061841.p0", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-05-19T00:00:00Z"}], "bugzilla": {"description": "openshift/ovn-kubernetes: Egress Firewall does not reliably apply firewall rules", "id": "1949188", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1949188"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "status": "verified"}, "cwe": "CWE-863", "details": ["A vulnerability was found in OVN Kubernetes in versions up to and including 0.3.0 where the Egress Firewall does not reliably apply firewall rules when there is multiple DNS rules. It could lead to potentially lose of confidentiality, integrity or availability of a service.", "A vulnerability was found in OVN Kubernetes where the Egress Firewall does not reliably apply firewall rules when there is multiple dns rules.\nIt could lead to potentially lose of confidentiality, integrity or availability of a service."], "name": "CVE-2021-3499", "public_date": "2021-04-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-3499\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-3499"], "statement": "In OpenShift Container Platform 4 the default Container Network Interface (CNI) network provider plug-in is OpenShift SDN, and it's not affected by this flaw. Only the OVN-Kubernetes CNI network provider is affected.", "threat_severity": "Moderate"}