CVE-2020-8551: Kubelet DoS via API #89377
Labels
area/kubelet
area/security
committee/security-response
Denotes an issue or PR intended to be handled by the product security committee.
kind/bug
Categorizes issue or PR as related to a bug.
official-cve-feed
Issues or PRs related to CVEs officially announced by Security Response Committee (SRC)
sig/node
Categorizes an issue or PR as relevant to SIG Node.
Comments
k8s-ci-robot
added
area/security
kind/bug
|
Is v1.15.10 the affected version or the fixed version? It's listed under both. |
|
Sorry, 1.15.10 is fixed. |
|
Do we have relevant PR here? |
|
@tallclair would you tell where is the pr, thx |
|
This was fixed by #87913 |
|
@tallclair thank you |
|
/label official-cve-feed (Related to kubernetes/sig-security#1) |
k8s-ci-robot
added
the
official-cve-feed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVSS Rating: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (Medium)
The Kubelet has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP read-only API typically served on port 10255, and the authenticated HTTPS API typically served on port 10250.
Am I vulnerable?
If an attacker can make a request to an unpatched kubelet, then you may be vulnerable to this.
Affected Versions
How do I mitigate this vulnerability?
Limit access to the Kubelet API or patch the Kubelet.
Fixed Versions
To upgrade, refer to the documentation: https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster
Acknowledgements
This vulnerability was reported by: Henrik Schmidt
/area security
/kind bug
/committee product-security
/sig node
/area kubelet
The text was updated successfully, but these errors were encountered: