Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2020-8552: apiserver DoS (oom) #89378

tallclair opened this issue Mar 23, 2020 · 2 comments

CVE-2020-8552: apiserver DoS (oom) #89378

tallclair opened this issue Mar 23, 2020 · 2 comments


Copy link

@tallclair tallclair commented Mar 23, 2020

CVSS Rating: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (Medium)

The Kubernetes API server has been found to be vulnerable to a denial of service attack via authorized API requests.

Am I vulnerable?

If an attacker that can make an authorized resource request to an unpatched API server (see below), then you are vulnerable to this. Prior to v1.14, this was possible via unauthenticated requests by default.

Affected Versions

  • kube-apiserver v1.17.0 - v1.17.2
  • kube-apiserver v1.16.0 - v1.16.6
  • kube-apiserver < v1.15.10

How do I mitigate this vulnerability?

Prior to upgrading, this vulnerability can be mitigated by:

  • Preventing unauthenticated or unauthorized access to all apis
  • The apiserver should auto restart if it OOMs

Fixed Versions

  • v1.17.3
  • v1.16.7
  • v1.15.10

To upgrade, refer to the documentation:


This vulnerability was reported by: Gus Lees (Amazon)

/area security
/kind bug
/committee product-security
/sig api-machinery


This comment has been minimized.

Copy link

@rata rata commented Mar 24, 2020

Is it possible to include a link to the PR/commit that fixed this?


This comment has been minimized.

Copy link
Member Author

@tallclair tallclair commented Mar 27, 2020

This was fixed by #87669

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
You can’t perform that action at this time.