[Security Advisory] CVE-2019-11254: denial of service vulnerability from malicious YAML payloads

ยอดดู 345 ครั้ง
ข้ามไปที่ข้อความที่ยังไม่อ่านรายการแรก

CJ Cullen

ยังไม่อ่าน,
31 มี.ค. 2563 19:07:4931/3/63
ถึง kubernete...@googlegroups.com, kubernetes-dev, kubernetes-sec...@googlegroups.com, kubernetes-se...@googlegroups.com, oss-se...@lists.openwall.com, kubernetes+a...@discoursemail.com

Hello Kubernetes Community,

 

A denial of service vulnerability in the Kubernetes API Server was discovered and assigned CVE-2019-11254. This vulnerability has been given an initial severity of Medium (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). Details are below and at https://issue.k8s.io/89535

 

The following versions including the fix have been released:

 

Details

CVE-2019-11254 is a denial of service vulnerability in the kube-apiserver, allowing authorized users sending malicious YAML payloads to cause kube-apiserver to consume excessive CPU cycles while parsing YAML.

 

The issue was discovered via the fuzz test kubernetes/kubernetes#83750.

 

Affected components:

Kubernetes API server

 

Affected versions:

  • <= v1.15.9

  • v1.16.0-v1.16.6

  • v1.17.0-v1.17.2

How do I mitigate this vulnerability?

Prior to upgrading, these vulnerabilities can be mitigated by preventing unauthenticated or unauthorized access to kube-apiserver.

 

Acknowledgements

 

Thanks to Mark Wolters from Google for writing the fuzz tests, and to oss-fuzz for the support.

 

Thanks to Mike Danese from Google for reporting this issue

 

- CJ Cullen on behalf of the Kubernetes Product Security Team


ตอบทุกคน
ตอบกลับผู้เขียน
ส่งต่อ
ข้อความใหม่ 0 รายการ