oss-sec mailing list archives
CVE-2019-11254: Kubernetes: denial of service vulnerability from malicious YAML payloads
From: CJ Cullen <cjcullen () google com>
Date: Tue, 31 Mar 2020 16:07:32 -0700
Hello Kubernetes Community, A denial of service vulnerability in the Kubernetes API Server was discovered and assigned CVE-2019-11254. This vulnerability has been given an initial severity of Medium (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) <https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H>. Details are below and at https://issue.k8s.io/89535 The following versions including the fix have been released: - v1.15.10 <https://github.com/kubernetes/kubernetes/releases/tag/v1.15.10> - v1.16.7 <https://github.com/kubernetes/kubernetes/releases/tag/v1.16.7> - v1.17.3 <https://github.com/kubernetes/kubernetes/releases/tag/v1.17.3> Details CVE-2019-11254 is a denial of service vulnerability in the kube-apiserver, allowing authorized users sending malicious YAML payloads to cause kube-apiserver to consume excessive CPU cycles while parsing YAML. The issue was discovered <https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18496> via the fuzz test kubernetes/kubernetes#83750 <https://github.com/kubernetes/kubernetes/pull/83750>. Affected components: Kubernetes API server Affected versions: - <= v1.15.9 - v1.16.0-v1.16.6 - v1.17.0-v1.17.2 How do I mitigate this vulnerability? Prior to upgrading, these vulnerabilities can be mitigated by preventing unauthenticated or unauthorized access to kube-apiserver. Acknowledgements Thanks to Mark Wolters from Google for writing the fuzz tests <http://kubernetes/kubernetes#83750>, and to oss-fuzz <https://github.com/google/oss-fuzz> for the support. Thanks to Mike Danese from Google for reporting this issue <https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18496>. - CJ Cullen on behalf of the Kubernetes Product Security Team
Current thread:
- CVE-2019-11254: Kubernetes: denial of service vulnerability from malicious YAML payloads CJ Cullen (Apr 01)