Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2020-8552: apiserver DoS (oom) #89378

Closed
tallclair opened this issue Mar 23, 2020 · 2 comments
Closed

CVE-2020-8552: apiserver DoS (oom) #89378

tallclair opened this issue Mar 23, 2020 · 2 comments

Comments

@tallclair
Copy link
Member

@tallclair tallclair commented Mar 23, 2020

CVSS Rating: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (Medium)

The Kubernetes API server has been found to be vulnerable to a denial of service attack via authorized API requests.

Am I vulnerable?

If an attacker that can make an authorized resource request to an unpatched API server (see below), then you are vulnerable to this. Prior to v1.14, this was possible via unauthenticated requests by default.

Affected Versions

  • kube-apiserver v1.17.0 - v1.17.2
  • kube-apiserver v1.16.0 - v1.16.6
  • kube-apiserver < v1.15.10

How do I mitigate this vulnerability?

Prior to upgrading, this vulnerability can be mitigated by:

  • Preventing unauthenticated or unauthorized access to all apis
  • The apiserver should auto restart if it OOMs

Fixed Versions

  • v1.17.3
  • v1.16.7
  • v1.15.10

To upgrade, refer to the documentation: https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster

Acknowledgements

This vulnerability was reported by: Gus Lees (Amazon)

/area security
/kind bug
/committee product-security
/sig api-machinery

@rata

This comment has been minimized.

Copy link
Member

@rata rata commented Mar 24, 2020

Is it possible to include a link to the PR/commit that fixed this?

@tallclair

This comment has been minimized.

Copy link
Member Author

@tallclair tallclair commented Mar 27, 2020

This was fixed by #87669

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
You can’t perform that action at this time.