Bug 1757701 (CVE-2019-11253)
Summary: | CVE-2019-11253 kubernetes: YAML parsing vulnerable to "Billion Laughs" attack, allowing for remote denial of service | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Sam Fowler <sfowler> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | annelson, bdettelb, bmontgom, ckoep, dbecker, deads, dyocum, eparis, go-sig, hchiramm, hgomes, hvyas, ichavero, jbrooks, jburrell, jcajka, jchaloup, jjoyce, jmulligan, jokerman, jschluet, jschorr, kconner, lhh, lpeer, madam, mburns, nhorman, nstielau, puebele, rcernich, rhos-maint, rhs-bugs, sclewis, sfowler, sisharma, slinaber, sponnaga, sreber, storage-qa-internal, strigazi, tstclair, twalsh, vbatts, vbellur |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | kubernetes 1.13.12, kubernetes 1.14.8, kubernetes 1.15.5, kubernetes 1.16.2 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found kubernetes. The parsing of YAML manifests by the Kubernetes API server could lead to a denial-of-service attack leaving it vulnerable to an instance of a "billion laughs" attack. The highest threat from this vulnerability is to system availability.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-10-16 18:51:20 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1757702, 1757708, 1757709, 1757710, 1757711, 1757712, 1757887, 2032712, 2032713, 2032714 | ||
Bug Blocks: | 1757703 |
Description
Sam Fowler
2019-10-02 08:41:11 UTC
Created kubernetes tracking bugs for this issue: Affects: fedora-all [bug 1757702] External References: https://www.stackrox.com/post/2019/09/protecting-kubernetes-api-against-cve-2019-11253-billion-laughs-attack/ This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.1 Via RHSA-2019:3132 https://access.redhat.com/errata/RHSA-2019:3132 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-11253 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.10 Via RHSA-2019:3239 https://access.redhat.com/errata/RHSA-2019:3239 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.9 Via RHSA-2019:3811 https://access.redhat.com/errata/RHSA-2019:3811 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2019:3905 https://access.redhat.com/errata/RHSA-2019:3905 This issue has been addressed in the following products: OpenShift Service Mesh 1.1 Via RHSA-2020:2799 https://access.redhat.com/errata/RHSA-2020:2799 This issue has been addressed in the following products: OpenShift Service Mesh 1.1 Via RHSA-2020:2796 https://access.redhat.com/errata/RHSA-2020:2796 This issue has been addressed in the following products: OpenShift Service Mesh 1.1 Via RHSA-2020:2795 https://access.redhat.com/errata/RHSA-2020:2795 This issue has been addressed in the following products: OpenShift Service Mesh 1.0 Via RHSA-2020:2861 https://access.redhat.com/errata/RHSA-2020:2861 This issue has been addressed in the following products: OpenShift Service Mesh 1.0 Via RHSA-2020:2863 https://access.redhat.com/errata/RHSA-2020:2863 This issue has been addressed in the following products: OpenShift Service Mesh 1.0 Via RHSA-2020:2870 https://access.redhat.com/errata/RHSA-2020:2870 This issue has been addressed in the following products: Red Hat OpenStack Platform 16.2 Via RHSA-2022:2183 https://access.redhat.com/errata/RHSA-2022:2183 |