Hello Kubernetes Community-
A security issue was discovered in the Linux Kernel that affects cgroup memory isolation via the esoteric sctp network transport. The issue is Medium severity and blacklisting the sctp kernel module is encouraged to fix this issue.
How do I mitigate the vulnerability?
Instructions for Linux distributions may vary. But, these instructions should work for most.
Blacklist the sctp module on all hosts:
echo “install sctp /bin/true” > /etc/modprobe.d/sctp.conf
Reboot the host if sctp module is loaded. You can test this with
lsmod | grep sctp
Am I vulnerable?
We recommend you blacklist the sctp module first, see mitigation above, before running this test. If the sctp module is inserted a reboot is required to unload the module.
modprobe sctp; lsmod | grep sctp and if it says sctp you are potentially vulnerable.
How do I upgrade?
A Kernel patch is under development. However, blacklisting sctp and dccp, esoteric network protocols, is a common security practice and will protect users now and into the future.
When a Pod runs as root it may bypass cgroup memory isolation; creating a potential DoS.
This issue is filed as CVE-2019-3874. See the CVE advisory for more details
Thank you to Matteo Croce & Jason Sheperd for the notification.
Brandon on behalf of the Kubernetes Product Security Committee