Hello Kubernetes Community,
A denial of service vulnerability was reported in kube-apiserver in which authorized users with API write permissions can cause the API server to consume excessive resources while handling a write request. The issue is medium severity and can be resolved by upgrading the kube-apiserver to v1.11.8, v1.12.6, or v1.13.4.
Am I vulnerable?
The following versions of kube-apiserver are vulnerable:
How can I mitigate the vulnerability prior to upgrade?
Remove ‘patch’ permissions from untrusted users.
Users that are authorized to make patch requests to the Kubernetes API Server can send a specially crafted patch of type “json-patch” (e.g. `kubectl patch --type json` or `"Content-Type: application/json-patch+json"`) that consumes excessive resources while processing, causing a Denial of Service on the API Server. There is no information disclosure or permission escalation associated with this vulnerability.
This issue is filed as CVE-2019-1002100. We have rated it as CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (6.5, medium) See GitHub issue #74534 for more details.
Thanks to Carl Henrik Lunde for reporting this problem. As a reminder, if you find a security vulnerability in Kubernetes, please report it following the security disclosure process.
Thanks to Chao Xu and Jordan Liggitt for developing the fix, and thanks to the patch release managers Aleksandra Malinowska, Timothy Pepper, Pengfei Ni, and Anirudh Ramanathan for coordinating the releases.
-CJ Cullen on behalf of the Kubernetes Product Security Team