ASA-2019-00117 – Kubernetes: Denial of service vulnerability in kube-apiserver

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00117

Identifier(s)

ASA-2019-00117, CVE-2019-1002100

Title

Denial of service vulnerability in kube-apiserver

Vendor(s)

Cloud Native Computing Foundation

Product(s)

Kubernetes

Affected version(s)

Kubernetes versions prior to v1.11.8
Kubernetes versions prior to v1.12.6
Kubernetes versions prior to v1.13.4

Fixed version(s)

Kubernetes version v1.11.8
Kubernetes version v1.12.6
Kubernetes version v1.13.4

Proof of concept

Unknown

Description

A denial of service vulnerability was reported in kube-apiserver in which authorized users with API write permissions can cause the API server to consume excessive resources while handling a write request.

Technical details

Users that are authorized to make patch requests to the Kubernetes API Server can send a specially crafted patch of type “json-patch” (e.g. `kubectl patch –type json` or `”Content-Type: application/json-patch+json”`) that consumes excessive resources while processing, causing a Denial of Service on the API Server.

Credits

Carl Henrik Lunde

Reference(s)

Kubernetes Security Announcement – v1.11.8, 1.12.6, 1.13.4 released to address medium severity CVE-2019-1002100
https://groups.google.com/forum/#!topic/kubernetes-security-announce/i-HEIs8WC5w

CVE-2019-1002100: json-patch requests can exhaust apiserver resources #74534
https://github.com/kubernetes/kubernetes/issues/74534

Limit the number of operations in a single json patch to be 10,000 #74000
https://github.com/kubernetes/kubernetes/pull/74000

CVE-2019-1002100 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2019-1002100

CVE-2019-1002100
https://security-tracker.debian.org/tracker/CVE-2019-1002100

CVE-2019-1002100 in Ubuntu
https://people.canonical.com/~ubuntu-security/cve/CVE-2019-1002100.html

CVE-2019-1002100 | SUSE
https://www.suse.com/security/cve/CVE-2019-1002100

CVE-2019-1002100
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1002100

CVE-2019-1002100
https://nvd.nist.gov/vuln/detail/CVE-2019-1002100

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: October 2, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.