Security information

The MKE 3.8.1 patch release focuses exclusively on CVE mitigation. To this end, the following middleware component versions have been upgraded to resolve vulnerabilities in MKE:

  • [MKE-12092] cri-dockerd 0.3.16, which contains a Golang bump to 1.23.3.

The following table details the specific CVE addressed, CVE-2024-24790.

CVE

Status

Image mitigated

Problem details from upstream

CVE-2024-24790

Resolved

ucp-hyperkube

The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.