Hello Kubernetes Community,
Two security issues were discovered in Kubernetes that could lead to a recoverable denial of service.
CVE-2020-8551 affects the kubelet, and has been rated Medium (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2020-8552 affects the API server, and has also been rated Medium (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
Am I vulnerable?
If an attacker can make an authorized resource request to an unpatched API server (see below), then you may be vulnerable to CVE-2020-8552. If an attacker can make an authorized request to an unpatched kubelet, then you may be vulnerable to CVE-2020-8551.
Affected Versions
CVE-2020-8551 affects:
- kubelet v1.17.0 - v1.17.2
- kubelet v1.16.0 - v1.16.6
- kubelet v1.15.0 - v1.15.10\
- kubelets prior to v1.15.0 are unaffected
CVE-2020-8552 affects:
- kube-apiserver v1.17.0 - v1.17.2
- kube-apiserver v1.16.0 - v1.16.6
- kube-apiserver < v1.15.10
How do I mitigate this vulnerability?
Prior to upgrading, these vulnerabilities can be mitigated by:
- Preventing unauthenticated or unauthorized access to the affected components
- The apiserver and kubelet should auto restart in the event of an OOM error
Fixed Versions
Both vulnerabilities are patched in kubernetes versions
Additional Details
See the GitHub issues for more details:
CVE-2020-8551: https://github.com/kubernetes/kubernetes/issues/89377
CVE-2020-8552: https://github.com/kubernetes/kubernetes/issues/89378
Thank You,
Tim Allclair on behalf of the Kubernetes Product Security Committee