[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2019-11254: Kubernetes: denial of service vulnerability from malicious YAML paylo
From: CJ Cullen <cjcullen () google ! com>
Date: 2020-03-31 23:07:32
Message-ID: CABdrxGDFrs7pUS5DNae80GQds8vc3qAavJrTkH-fVEmxXvfMtg () mail ! gmail ! com
[Download RAW message or body]
Hello Kubernetes Community,
A denial of service vulnerability in the Kubernetes API Server was
discovered and assigned CVE-2019-11254. This vulnerability has been given
an initial severity of Medium (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H>.
Details are below and at https://issue.k8s.io/89535
The following versions including the fix have been released:
-
v1.15.10 <https://github.com/kubernetes/kubernetes/releases/tag/v1.15.10>
-
v1.16.7 <https://github.com/kubernetes/kubernetes/releases/tag/v1.16.7>
-
v1.17.3 <https://github.com/kubernetes/kubernetes/releases/tag/v1.17.3>
Details
CVE-2019-11254 is a denial of service vulnerability in the kube-apiserver,
allowing authorized users sending malicious YAML payloads to cause
kube-apiserver to consume excessive CPU cycles while parsing YAML.
The issue was discovered
<https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18496> via the fuzz
test kubernetes/kubernetes#83750
<https://github.com/kubernetes/kubernetes/pull/83750>.
Affected components:
Kubernetes API server
Affected versions:
-
<= v1.15.9
-
v1.16.0-v1.16.6
-
v1.17.0-v1.17.2
How do I mitigate this vulnerability?
Prior to upgrading, these vulnerabilities can be mitigated by preventing
unauthenticated or unauthorized access to kube-apiserver.
Acknowledgements
Thanks to Mark Wolters from Google for writing the fuzz tests
<http://kubernetes/kubernetes#83750>, and to oss-fuzz
<https://github.com/google/oss-fuzz> for the support.
Thanks to Mike Danese from Google for reporting this issue
<https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18496>.
- CJ Cullen on behalf of the Kubernetes Product Security Team
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic