Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2020-8552: apiserver DoS (oom) #89378

Closed
tallclair opened this issue Mar 23, 2020 · 4 comments
Closed

CVE-2020-8552: apiserver DoS (oom) #89378

tallclair opened this issue Mar 23, 2020 · 4 comments
Labels
area/security committee/security-response Denotes an issue or PR intended to be handled by the product security committee. kind/bug Categorizes issue or PR as related to a bug. official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery.

Comments

@tallclair
Copy link
Member

CVSS Rating: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (Medium)

The Kubernetes API server has been found to be vulnerable to a denial of service attack via authorized API requests.

Am I vulnerable?

If an attacker that can make an authorized resource request to an unpatched API server (see below), then you are vulnerable to this. Prior to v1.14, this was possible via unauthenticated requests by default.

Affected Versions

  • kube-apiserver v1.17.0 - v1.17.2
  • kube-apiserver v1.16.0 - v1.16.6
  • kube-apiserver < v1.15.10

How do I mitigate this vulnerability?

Prior to upgrading, this vulnerability can be mitigated by:

  • Preventing unauthenticated or unauthorized access to all apis
  • The apiserver should auto restart if it OOMs

Fixed Versions

  • v1.17.3
  • v1.16.7
  • v1.15.10

To upgrade, refer to the documentation: https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster

Acknowledgements

This vulnerability was reported by: Gus Lees (Amazon)

/area security
/kind bug
/committee product-security
/sig api-machinery
@tallclair tallclair added the kind/bug Categorizes issue or PR as related to a bug. label Mar 23, 2020
@k8s-ci-robot k8s-ci-robot added area/security committee/security-response Denotes an issue or PR intended to be handled by the product security committee. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. labels Mar 23, 2020
@Ebaneck Ebaneck mentioned this issue Mar 24, 2020
Closed
@AntonyBishop AntonyBishop mentioned this issue Mar 24, 2020
Closed
@rata
Copy link
Member

rata commented Mar 24, 2020

Is it possible to include a link to the PR/commit that fixed this?

@tallclair
Copy link
Member Author

This was fixed by #87669

@ping035627
Copy link
Contributor

This was fixed by #87673 in v1.17.3

@PushkarJ
Copy link
Member

PushkarJ commented Dec 2, 2021

/label official-cve-feed

(Related to kubernetes/sig-security#1)

@k8s-ci-robot k8s-ci-robot added the official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) label Dec 2, 2021
@k8s-sec-alert k8s-sec-alert mentioned this issue Sep 18, 2022
Open
@skitt skitt mentioned this issue Sep 20, 2023
Merged
@chrischdi chrischdi mentioned this issue Sep 21, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/security committee/security-response Denotes an issue or PR intended to be handled by the product security committee. kind/bug Categorizes issue or PR as related to a bug. official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@rata @PushkarJ @ping035627 @k8s-ci-robot @tallclair