Allele Security Alert
Denial of service vulnerability in kube-apiserver
Cloud Native Computing Foundation
Kubernetes versions prior to v1.11.8
Kubernetes versions prior to v1.12.6
Kubernetes versions prior to v1.13.4
Kubernetes version v1.11.8
Kubernetes version v1.12.6
Kubernetes version v1.13.4
Proof of concept
A denial of service vulnerability was reported in kube-apiserver in which authorized users with API write permissions can cause the API server to consume excessive resources while handling a write request.
Users that are authorized to make patch requests to the Kubernetes API Server can send a specially crafted patch of type “json-patch” (e.g. `kubectl patch –type json` or `”Content-Type: application/json-patch+json”`) that consumes excessive resources while processing, causing a Denial of Service on the API Server.
Carl Henrik Lunde
Kubernetes Security Announcement – v1.11.8, 1.12.6, 1.13.4 released to address medium severity CVE-2019-1002100
CVE-2019-1002100: json-patch requests can exhaust apiserver resources #74534
Limit the number of operations in a single json patch to be 10,000 #74000
CVE-2019-1002100 - Red Hat Customer Portal
CVE-2019-1002100 | SUSE
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: October 2, 2019