The CNI portmap plugin is a component of container networking that allows containers to emulate opening a host port. This vulnerability occurs when the plugin is configured with the nftables backend and does not properly filter traffic, allowing containers to intercept all traffic destined for a specific port. This can lead to unauthorized access to sensitive data or systems.
You're affected if you use CNI portmap. Affected versions: 1.8.0, 1.6.0 If you don't recognise this software, you're probably not affected.
To fix this issue:
- Upgrade to CNI portmap version 1.9.0.
- Configure the plugin to use the iptables backend instead of nftables.
Immediate mitigations if upgrade isn't possible:
- Restrict network access to your container instances (firewall them from the public internet)
- Audit container networking configuration files for suspicious settings