Kubernetes: CVE-2020-8552: apiserver DoS (oom)

Created on 23 Mar 2020  ·  2Comments  ·  Source: kubernetes/kubernetes

CVSS Rating: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (Medium)

The Kubernetes API server has been found to be vulnerable to a denial of service attack via authorized API requests.

Am I vulnerable?

If an attacker that can make an authorized resource request to an unpatched API server (see below), then you are vulnerable to this. Prior to v1.14, this was possible via unauthenticated requests by default.

Affected Versions

  • kube-apiserver v1.17.0 - v1.17.2
  • kube-apiserver v1.16.0 - v1.16.6
  • kube-apiserver < v1.15.10

How do I mitigate this vulnerability?

Prior to upgrading, this vulnerability can be mitigated by:

  • Preventing unauthenticated or unauthorized access to all apis
  • The apiserver should auto restart if it OOMs

Fixed Versions

  • v1.17.3
  • v1.16.7
  • v1.15.10

To upgrade, refer to the documentation: https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster

Acknowledgements

This vulnerability was reported by: Gus Lees (Amazon)

/area security
/kind bug
/committee product-security
/sig api-machinery

aresecurity committeproduct-security kinbug siapi-machinery
Source
picture tallclair

Most helpful comment

Is it possible to include a link to the PR/commit that fixed this?

picture rata on 24 Mar 2020
👍3

All 2 comments

Is it possible to include a link to the PR/commit that fixed this?

rata picture rata on 24 Mar 2020
👍3

This was fixed by https://github.com/kubernetes/kubernetes/pull/87669

tallclair picture tallclair on 27 Mar 2020
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

chowyu08 picture chowyu08  ·  3Comments
sjenning picture sjenning  ·  3Comments
jadhavnitind picture jadhavnitind  ·  3Comments
Seb-Solon picture Seb-Solon  ·  3Comments
tbchj picture tbchj  ·  3Comments