Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2019-1002100: json-patch requests can exhaust apiserver resources #74534

Closed
cjcullen opened this Issue Feb 25, 2019 · 3 comments

Comments

Projects
None yet
4 participants
@cjcullen
Copy link
Member

cjcullen commented Feb 25, 2019

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) (6.5, medium)

Users that are authorized to make patch requests to the Kubernetes API Server can send a specially crafted patch of type “json-patch” (e.g. kubectl patch --type json or "Content-Type: application/json-patch+json") that consumes excessive resources while processing, causing a Denial of Service on the API Server.

Thanks to Carl Henrik Lunde for reporting this problem.

CVE-2019-1002100 is fixed in the following Kubernetes releases:

Affected components:

  • Kubernetes API server

Affected versions:

  • Kubernetes v1.0.x-1.10.x
  • Kubernetes v1.11.0-1.11.7 (fixed in v1.11.8)
  • Kubernetes v1.12.0-1.12.5 (fixed in v1.12.6)
  • Kubernetes v1.13.0-1.13.3 (fixed in v1.13.4)

Mitigations:

  • Remove ‘patch’ permissions from untrusted users.

Note: If you are using binaries or packages provided by a distributor (not the ones provided in the open source release artifacts), you should contact them to determine what versions resolve this CVE. Distributors may choose to provide support for older releases beyond the ones maintained by the open source project.

@cjcullen cjcullen added the kind/bug label Feb 25, 2019

@cjcullen cjcullen self-assigned this Feb 25, 2019

@cjcullen cjcullen changed the title Placeholder CVE-2019-1002100: json-patch requests can exhaust apiserver resources Mar 1, 2019

@k8s-ci-robot k8s-ci-robot removed the needs-sig label Mar 1, 2019

@cjcullen cjcullen closed this Mar 1, 2019

@tuminoid

This comment has been minimized.

Copy link

tuminoid commented Mar 4, 2019

Why this issue number isn't mentioned in any of the release notes?

@timoreimann

This comment has been minimized.

Copy link
Contributor

timoreimann commented Mar 4, 2019

@tuminoid I think PR 74000 (which is referencing this issue above) is the fix that is mentioned in the release notes (at least for 1.13.4).

@tuminoid

This comment has been minimized.

Copy link

tuminoid commented Mar 4, 2019

Thanks @timoreimann. #74000 appears in all release notes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.