ASA-2019-00571 – Kubernetes: API Server JSON/YAML parsing vulnerable to resource exhaustion attack

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00571

Identifier(s)

ASA-2019-00571, CVE-2019-11253

Title

API Server JSON/YAML parsing vulnerable to resource exhaustion attack

Vendor(s)

Cloud Native Computing Foundation

Product(s)

Kubernetes

Affected version(s)

Kubernetes versions before v1.16.2
Kubernetes versions before v1.15.5
Kubernetes versions before v1.14.8
Kubernetes versions before v1.13.12

Fixed version(s)

Kubernetes version v1.16.2
Kubernetes version v1.15.5
Kubernetes version v1.14.8
Kubernetes version v1.13.12

Proof of concept

Yes

Description

Denial of service vulnerability in the kube-apiserver, allowing authorized users sending malicious YAML or JSON payloads to cause kube-apiserver to consume excessive CPU or memory, potentially crashing and becoming unavailable. Prior to v1.14.0, default RBAC policy authorized anonymous users to submit requests that could trigger this vulnerability.

Technical details

Unknown

Credits

Unknown

Reference(s)

CVE-2019-11253: Kubernetes API Server JSON/YAML parsing vulnerable to resource exhaustion attack #83253
https://github.com/kubernetes/kubernetes/issues/83253

Analysis of Two Newly Patched Kubernetes Vulnerabilities
https://blog.paloaltonetworks.com/2019/10/cloud-kubernetes-vulnerabilities/

CVE-2019-11253 Kubernetes API Server YAML Parsing Remote Denial of Service PoC aka “Billion Laughs”
https://gist.github.com/bgeesaman/0e0349e94cd22c48bf14d8a9b7d6b8f2

limit yaml/json decode size #83261
https://github.com/kubernetes/kubernetes/pull/83261

[1.13] Automated cherry pick of #83261: bump gopkg.in/yaml.v2 v2.2.4 #83436
https://github.com/kubernetes/kubernetes/pull/83436

[1.14] Automated cherry pick of #83261: bump gopkg.in/yaml.v2 v2.2.4 #83435
https://github.com/kubernetes/kubernetes/pull/83435

[1.15] Automated cherry pick of #83261: bump gopkg.in/yaml.v2 v2.2.4 #83434
https://github.com/kubernetes/kubernetes/pull/83434

[1.16] Automated cherry pick of #83261: bump gopkg.in/yaml.v2 v2.2.4 #83433
https://github.com/kubernetes/kubernetes/pull/83433

CVE-2019-11253
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11253

CVE-2019-11253
https://nvd.nist.gov/vuln/detail/CVE-2019-11253

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: October 21, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.