Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2019-1002100: json-patch requests can exhaust apiserver resources #74534

Closed
cjcullen opened this issue Feb 25, 2019 · 4 comments
Closed

CVE-2019-1002100: json-patch requests can exhaust apiserver resources #74534

cjcullen opened this issue Feb 25, 2019 · 4 comments
Assignees
Labels
area/security kind/bug Categorizes issue or PR as related to a bug. official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery.

Comments

@cjcullen
Copy link
Member

cjcullen commented Feb 25, 2019

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) (6.5, medium)

Users that are authorized to make patch requests to the Kubernetes API Server can send a specially crafted patch of type “json-patch” (e.g. kubectl patch --type json or "Content-Type: application/json-patch+json") that consumes excessive resources while processing, causing a Denial of Service on the API Server.

Thanks to Carl Henrik Lunde for reporting this problem.

CVE-2019-1002100 is fixed in the following Kubernetes releases:

Affected components:

  • Kubernetes API server

Affected versions:

  • Kubernetes v1.0.x-1.10.x
  • Kubernetes v1.11.0-1.11.7 (fixed in v1.11.8)
  • Kubernetes v1.12.0-1.12.5 (fixed in v1.12.6)
  • Kubernetes v1.13.0-1.13.3 (fixed in v1.13.4)

Mitigations:

  • Remove ‘patch’ permissions from untrusted users.

Note: If you are using binaries or packages provided by a distributor (not the ones provided in the open source release artifacts), you should contact them to determine what versions resolve this CVE. Distributors may choose to provide support for older releases beyond the ones maintained by the open source project.

Post-mortem:

@cjcullen cjcullen added the kind/bug Categorizes issue or PR as related to a bug. label Feb 25, 2019
@k8s-ci-robot k8s-ci-robot added the needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. label Feb 25, 2019
@cjcullen cjcullen self-assigned this Feb 25, 2019
@cjcullen cjcullen changed the title Placeholder CVE-2019-1002100: json-patch requests can exhaust apiserver resources Mar 1, 2019
@cjcullen cjcullen added area/security sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. labels Mar 1, 2019
@k8s-ci-robot k8s-ci-robot removed the needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. label Mar 1, 2019
@cjcullen cjcullen closed this as completed Mar 1, 2019
@tuminoid
Copy link

tuminoid commented Mar 4, 2019

Why this issue number isn't mentioned in any of the release notes?

@timoreimann
Copy link
Contributor

@tuminoid I think PR 74000 (which is referencing this issue above) is the fix that is mentioned in the release notes (at least for 1.13.4).

@tuminoid
Copy link

tuminoid commented Mar 4, 2019

Thanks @timoreimann. #74000 appears in all release notes.

@PushkarJ
Copy link
Member

/label official-cve-feed

(Related to kubernetes/sig-security#1)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/security kind/bug Categorizes issue or PR as related to a bug. official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery.
Projects
None yet
Development

No branches or pull requests

6 participants