oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

[ANNOUNCE] Security release of Kubernetes v1.15.3, v1.14.6, v1.13.10 - CVE-2019-9512 and CVE-2019-9514

From: "Hausler, Micah" <mhausler () amazon com>
Date: Mon, 19 Aug 2019 22:55:47 +0000
Hello Kubernetes Community,



A security issue has been found in the net/http library of the Go language that affects all versions and all components 
of Kubernetes. The vulnerabilities can result in a DoS against any process with an HTTP or HTTPS listener.



Am I vulnerable?



Yes. All versions of Kubernetes are affected.


Go has released versions go1.12.8 and go1.11.13, and we have released the following versions of Kubernetes built using 
patched versions of Go.



·         Kubernetes v1.15.3 - go1.12.9

·         Kubernetes v1.14.6 - go1.12.9

·         Kubernetes v1.13.10 - go1.11.13


How do I mitigate the vulnerability?


Upgrade to a patched version of Kubernetes, listed above.


How do I upgrade?



When new versions are released, you can follow the upgrade instructions at 
https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster



Vulnerability details



Netflix recently announced a security advisory that identified several Denial of Service attack vectors that can affect 
server implementations of the HTTP/2 protocol, and has issued eight CVEs. [1]



Go is affected by two of the vulnerabilities (CVE-2019-9512 and CVE-2019-9514) and so Kubernetes components that serve 
HTTP/2 traffic (including /healthz) are also affected. [2]



These vulnerabilities allow untrusted clients to allocate an unlimited amount of memory, until the server crashes. The 
Product Security Committee has assigned this set of vulnerabilities with a CVSS score of 7.5 [3]



[1]. https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md

[2]. https://golang.org/doc/devel/release.html#go1.12

[3]. https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H



Thank you


Thanks to Jonathan Looney from Netflix for discovering and reporting these issues to the Go community.



Thanks to Christoph Blecker, Benjamin Elder, and Tim Pepper for coordinating the fix and release.



Thank You,



Micah Hausler on behalf of the Kubernetes Product Security Committee
Previous By Date Next
Previous By Thread Next

Current thread: