CVE-2019-1002100: json-patch requests can exhaust apiserver resources
cjcullen opened this issue · comments
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) (6.5, medium)
Users that are authorized to make patch requests to the Kubernetes API Server can send a specially crafted patch of type “json-patch” (e.g. kubectl patch --type json
or "Content-Type: application/json-patch+json"
) that consumes excessive resources while processing, causing a Denial of Service on the API Server.
Thanks to Carl Henrik Lunde for reporting this problem.
CVE-2019-1002100 is fixed in the following Kubernetes releases:
Affected components:
- Kubernetes API server
Affected versions:
- Kubernetes v1.0.x-1.10.x
- Kubernetes v1.11.0-1.11.7 (fixed in v1.11.8)
- Kubernetes v1.12.0-1.12.5 (fixed in v1.12.6)
- Kubernetes v1.13.0-1.13.3 (fixed in v1.13.4)
Mitigations:
- Remove ‘patch’ permissions from untrusted users.
Note: If you are using binaries or packages provided by a distributor (not the ones provided in the open source release artifacts), you should contact them to determine what versions resolve this CVE. Distributors may choose to provide support for older releases beyond the ones maintained by the open source project.
Post-mortem:
Why this issue number isn't mentioned in any of the release notes?
@tuminoid I think PR 74000 (which is referencing this issue above) is the fix that is mentioned in the release notes (at least for 1.13.4).
Thanks @timoreimann. #74000 appears in all release notes.
/label official-cve-feed
(Related to kubernetes/sig-security#1)