Bug 1683190 (CVE-2019-1002100)
| Summary: | CVE-2019-1002100 kube-apiserver: DoS with crafted patch of type json-patch | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Laura Pardo <lpardo> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | ahardin, bleanhar, bmontgom, ccoleman, cstark, dedgar, dominik.mierzejewski, eparis, hchiramm, hvyas, jburrell, jdesousa, jgoulding, jmulligan, jokerman, kramdoss, madam, mchappel, nstielau, rhs-bugs, sankarshan, security-response-team, sfowler, sisharma, sponnaga, ssaha, storage-qa-internal, vbellur, yqu |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | kube-apiserver 1.11.8, kube-apiserver 1.12.6, kube-apiserver 1.13.4 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A denial of service vulnerability was found in the Kubernetes API server. A remote user, with authorization to apply patches, could exploit this via crafted JSON input, causing excessive consumption of resources and subsequent denial of service.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-07-25 01:18:20 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1686287, 1687690, 1687691, 1692239, 1692240, 1692241, 1692242, 1692243, 1692244 | ||
| Bug Blocks: | 1683193 | ||
|
Description
Laura Pardo
2019-02-26 12:29:37 UTC
References: https://groups.google.com/forum/#!topic/kubernetes-announce/vmUUNkYfG9g https://github.com/kubernetes/kubernetes/issues/74534 Upstream Patch: https://github.com/kubernetes/kubernetes/pull/74000 Gluster ships kube-apiserver via heketi, however we don't use it to provision Gluster server hence the vulnerability is not exposed in a way that would be exploitable within Gluster. Affected as the kube-apiserver code shipped with heketi is unpatched but most likely wontfix thing. External References: https://groups.google.com/forum/#!topic/kubernetes-announce/vmUUNkYfG9g Mitigation: Remove ‘patch’ permissions from untrusted users. Acknowledgments: Name: Carl Henrik Lunde Upstream Patches: https://github.com/kubernetes/kubernetes/commit/8a2d338b (1.11.8) https://github.com/kubernetes/kubernetes/commit/8a09eb39 (1.12.6) https://github.com/kubernetes/kubernetes/commit/de5b047e (1.13.3) Statement: This issue affects the Kubernetes API Server, shipped in OpenShift Container Platform versions 3.4 through 3.11 as part of the atomic-openshift package. Red Hat Product Security has rated this issue as having a security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2019:1851 https://access.redhat.com/errata/RHSA-2019:1851 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-1002100 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.10 Via RHSA-2019:3239 https://access.redhat.com/errata/RHSA-2019:3239 |