oss-sec mailing list archives
CVE-2020-8551, CVE-2020-8552: Kubernetes: Denial of service
From: Tim Allclair <tallclair () google com>
Date: Mon, 23 Mar 2020 11:37:19 -0700
Hello Kubernetes Community, Two security issues were discovered in Kubernetes that could lead to a recoverable denial of service. *CVE-2020-8551* affects the kubelet, and has been rated *Medium *( CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L <https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L> ). *CVE-2020-8552* affects the API server, and has also been rated *Medium* ( CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L <https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L> ). <https://github.com/kubernetes/security/blob/master/comms-temlpates/vulnerability-announcement-email.md#am-i-vulnerable>Am I vulnerable? If an attacker can make an authorized resource request to an unpatched API server (see below), then you may be vulnerable to CVE-2020-8552. If an attacker can make an authorized request to an unpatched kubelet, then you may be vulnerable to CVE-2020-8551. <https://github.com/kubernetes/security/blob/master/comms-temlpates/vulnerability-announcement-email.md#affected-versions>Affected Versions CVE-2020-8551 affects: - kubelet v1.17.0 - v1.17.2 - kubelet v1.16.0 - v1.16.6 - kubelet v1.15.0 - v1.15.10\ - *kubelets prior to v1.15.0 are unaffected* CVE-2020-8552 affects: - kube-apiserver v1.17.0 - v1.17.2 - kube-apiserver v1.16.0 - v1.16.6 - kube-apiserver < v1.15.10 <https://github.com/kubernetes/security/blob/master/comms-temlpates/vulnerability-announcement-email.md#how-do-i-mitigate-this-vulnerability>How do I mitigate this vulnerability? Prior to upgrading, these vulnerabilities can be mitigated by: - Preventing unauthenticated or unauthorized access to the affected components - The apiserver and kubelet should auto restart in the event of an OOM error <https://github.com/kubernetes/security/blob/master/comms-temlpates/vulnerability-announcement-email.md#fixed-versions>Fixed Versions Both vulnerabilities are patched in kubernetes versions - v1.17.3 - v1.16.7 - v1.15.10 To upgrade, refer to the documentation: https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster <https://github.com/kubernetes/security/blob/master/comms-temlpates/vulnerability-announcement-email.md#addiitonal-details>Additional Details See the GitHub issues for more details: CVE-2020-8551: https://github.com/kubernetes/kubernetes/issues/89377 CVE-2020-8552: https://github.com/kubernetes/kubernetes/issues/89378 Thank You, Tim Allclair on behalf of the Kubernetes Product Security Committee
Current thread:
- CVE-2020-8551, CVE-2020-8552: Kubernetes: Denial of service Tim Allclair (Mar 23)