Hello Kubernetes Community,
Two security issues were discovered in Kubernetes that could lead to a recoverable denial of service.
CVE-2020-8551 affects the kubelet, and has been rated Medium (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2020-8552 affects the API server, and has also been rated Medium (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
Am I vulnerable?
If an attacker can make an authorized resource request to an unpatched API server (see below), then you may be vulnerable to CVE-2020-8552. If an attacker can make an authorized request to an unpatched kubelet, then you may be vulnerable to CVE-2020-8551.
- kubelet v1.17.0 - v1.17.2
- kubelet v1.16.0 - v1.16.6
- kubelet v1.15.0 - v1.15.10\
- kubelets prior to v1.15.0 are unaffected
- kube-apiserver v1.17.0 - v1.17.2
- kube-apiserver v1.16.0 - v1.16.6
- kube-apiserver < v1.15.10
How do I mitigate this vulnerability?
Prior to upgrading, these vulnerabilities can be mitigated by:
- Preventing unauthenticated or unauthorized access to the affected components
- The apiserver and kubelet should auto restart in the event of an OOM error
Both vulnerabilities are patched in kubernetes versions
See the GitHub issues for more details:
Tim Allclair on behalf of the Kubernetes Product Security Committee