<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
CVE-2020-8551, CVE-2020-8552: Kubernetes: Denial of service
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Tim Allclair <tallclair () google com>
Date: Mon, 23 Mar 2020 11:37:19 -0700
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Hello Kubernetes Community,
Two security issues were discovered in Kubernetes that could lead to a
recoverable denial of service.
*CVE-2020-8551* affects the kubelet, and has been rated *Medium *(
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L>
).
*CVE-2020-8552* affects the API server, and has also been rated *Medium* (
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L>
).
<https://github.com/kubernetes/security/blob/master/comms-temlpates/vulnerability-announcement-email.md#am-i-vulnerable>Am
I vulnerable?
If an attacker can make an authorized resource request to an unpatched API
server (see below), then you may be vulnerable to CVE-2020-8552. If an
attacker can make an authorized request to an unpatched kubelet, then you
may be vulnerable to CVE-2020-8551.
<https://github.com/kubernetes/security/blob/master/comms-temlpates/vulnerability-announcement-email.md#affected-versions>Affected
Versions
CVE-2020-8551 affects:
- kubelet v1.17.0 - v1.17.2
- kubelet v1.16.0 - v1.16.6
- kubelet v1.15.0 - v1.15.10\
- *kubelets prior to v1.15.0 are unaffected*
CVE-2020-8552 affects:
- kube-apiserver v1.17.0 - v1.17.2
- kube-apiserver v1.16.0 - v1.16.6
- kube-apiserver < v1.15.10
<https://github.com/kubernetes/security/blob/master/comms-temlpates/vulnerability-announcement-email.md#how-do-i-mitigate-this-vulnerability>How
do I mitigate this vulnerability?
Prior to upgrading, these vulnerabilities can be mitigated by:
- Preventing unauthenticated or unauthorized access to the affected
components
- The apiserver and kubelet should auto restart in the event of an OOM
error
<https://github.com/kubernetes/security/blob/master/comms-temlpates/vulnerability-announcement-email.md#fixed-versions>Fixed
Versions
Both vulnerabilities are patched in kubernetes versions
- v1.17.3
- v1.16.7
- v1.15.10
To upgrade, refer to the documentation:
https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster
<https://github.com/kubernetes/security/blob/master/comms-temlpates/vulnerability-announcement-email.md#addiitonal-details>Additional
Details
See the GitHub issues for more details:
CVE-2020-8551: https://github.com/kubernetes/kubernetes/issues/89377
CVE-2020-8552: https://github.com/kubernetes/kubernetes/issues/89378
Thank You,
Tim Allclair on behalf of the Kubernetes Product Security Committee
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
CVE-2020-8551, CVE-2020-8552: Kubernetes: Denial of service Tim Allclair (Mar 23)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->