Hello Kubernetes Community,
A denial of service vulnerability in the Kubernetes API Server was discovered and assigned CVE-2019-11254. This vulnerability has been given an initial severity of Medium (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). Details are below and at https://issue.k8s.io/89535
The following versions including the fix have been released:
Details
CVE-2019-11254 is a denial of service vulnerability in the kube-apiserver, allowing authorized users sending malicious YAML payloads to cause kube-apiserver to consume excessive CPU cycles while parsing YAML.
The issue was discovered via the fuzz test kubernetes/kubernetes#83750.
Affected components:
Kubernetes API server
Affected versions:
- <= v1.15.9
- v1.16.0-v1.16.6
- v1.17.0-v1.17.2
How do I mitigate this vulnerability?
Prior to upgrading, these vulnerabilities can be mitigated by preventing unauthenticated or unauthorized access to kube-apiserver.
Acknowledgements
Thanks to Mark Wolters from Google for writing the fuzz tests, and to oss-fuzz for the support.
Thanks to Mike Danese from Google for reporting this issue.
– CJ Cullen on behalf of the Kubernetes Product Security Team