CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) (6.5, medium)

Users that are authorized to make patch requests to the Kubernetes API Server can send a specially crafted patch of type “json-patch” (e.g. kubectl patch --type json or "Content-Type: application/json-patch+json") that consumes excessive resources while processing, causing a Denial of Service on the API Server.

Thanks to Carl Henrik Lunde for reporting this problem.

CVE-2019-1002100 is fixed in the following Kubernetes releases:

• v1.11.8
• v1.12.6
• v1.13.4

Affected components:

• Kubernetes API server

Affected versions:

• Kubernetes v1.0.x-1.10.x
• Kubernetes v1.11.0-1.11.7 (fixed in v1.11.8)
• Kubernetes v1.12.0-1.12.5 (fixed in v1.12.6)
• Kubernetes v1.13.0-1.13.3 (fixed in v1.13.4)

Mitigations:

• Remove ‘patch’ permissions from untrusted users.

Note: If you are using binaries or packages provided by a distributor (not the ones provided in the open source release artifacts), you should contact them to determine what versions resolve this CVE. Distributors may choose to provide support for older releases beyond the ones maintained by the open source project.

Post-mortem:

• Document

Why this issue number isn't mentioned in any of the release notes?

@tuminoid I think PR 74000 (which is referencing this issue above) is the fix that is mentioned in the release notes (at least for 1.13.4).

Thanks @timoreimann. #74000 appears in all release notes.

/label official-cve-feed

(Related to kubernetes/sig-security#1)