[ANNOUNCE] CVE-2019-11253: denial of service vulnerability from malicious YAML or JSON payloads

Hello Kubernetes Community,

A denial of service vulnerability in the Kubernetes API Server has been disclosed publicly, and assigned CVE-2019-11253. This vulnerability has been given an initial severity of High, with a score of 7.5. Details are below and at https://issue.k8s.io/83253

The following versions including the fix have been released:

  • v1.13.12
  • v1.14.8
  • v1.15.5
  • v1.16.2

Details

CVE-2019-11253 is a denial of service vulnerability in the kube-apiserver, allowing authorized users sending malicious YAML or JSON payloads to cause kube-apiserver to consume excessive CPU or memory, potentially crashing and becoming unavailable.

Prior to v1.14.0, default RBAC policy authorized anonymous users to submit requests that could trigger this vulnerability. Clusters upgraded from a version prior to v1.14.0 keep the more permissive policy for backwards compatibility. To manually apply the more restrictive policy for anonymous users, follow the mitigation steps at issue.k8s.io/83253.

Affected components:

Kubernetes API server

Affected versions:

  • Kubernetes v1.0.0-1.12.x
  • Kubernetes v1.13.0-1.13.11 (resolved in v1.13.12)
  • Kubernetes v1.14.0-1.14.7 (resolved in v1.14.8)
  • Kubernetes v1.15.0-1.15.4 (resolved in v1.15.5)
  • Kubernetes v1.16.0-1.16.1 (resolved in v1.16.2)

Pre-upgrade mitigations:

Remove authorization rules that grant “create” access to unauthenticated users. See Issue 83253 for details.

  • CJ Cullen on behalf of the Kubernetes Product Security Team
1 Like