Date: Tue, 31 Mar 2020 16:07:32 -0700 From: CJ Cullen <cjcullen@...gle.com> To: kubernetes-announce@...glegroups.com, kubernetes-dev <kubernetes-dev@...glegroups.com>, kubernetes-security-announce@...glegroups.com, kubernetes-security-discuss@...glegroups.com, oss-security@...ts.openwall.com, kubernetes+announcements@...coursemail.com Subject: CVE-2019-11254: Kubernetes: denial of service vulnerability from malicious YAML payloads Hello Kubernetes Community, A denial of service vulnerability in the Kubernetes API Server was discovered and assigned CVE-2019-11254. This vulnerability has been given an initial severity of Medium (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) <https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H>. Details are below and at https://issue.k8s.io/89535 The following versions including the fix have been released: - v1.15.10 <https://github.com/kubernetes/kubernetes/releases/tag/v1.15.10> - v1.16.7 <https://github.com/kubernetes/kubernetes/releases/tag/v1.16.7> - v1.17.3 <https://github.com/kubernetes/kubernetes/releases/tag/v1.17.3> Details CVE-2019-11254 is a denial of service vulnerability in the kube-apiserver, allowing authorized users sending malicious YAML payloads to cause kube-apiserver to consume excessive CPU cycles while parsing YAML. The issue was discovered <https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18496> via the fuzz test kubernetes/kubernetes#83750 <https://github.com/kubernetes/kubernetes/pull/83750>. Affected components: Kubernetes API server Affected versions: - <= v1.15.9 - v1.16.0-v1.16.6 - v1.17.0-v1.17.2 How do I mitigate this vulnerability? Prior to upgrading, these vulnerabilities can be mitigated by preventing unauthenticated or unauthorized access to kube-apiserver. Acknowledgements Thanks to Mark Wolters from Google for writing the fuzz tests <http://kubernetes/kubernetes#83750>, and to oss-fuzz <https://github.com/google/oss-fuzz> for the support. Thanks to Mike Danese from Google for reporting this issue <https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18496>. - CJ Cullen on behalf of the Kubernetes Product Security Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.