Bug 1797909 (CVE-2020-8552)
| Summary: | CVE-2020-8552 kubernetes: Use of unbounded 'client' label in apiserver_request_total allows for memory exhaustion | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Sam Fowler <sfowler> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | admiller, alegrand, anpicker, aos-bugs, bmontgom, eparis, erooth, fbranczy, go-sig, hchiramm, hvyas, ichavero, jbrooks, jburrell, jcajka, jchaloup, jesusr, jmulligan, jokerman, kakkoyun, lcosic, madam, mfojtik, mloibl, nagrawal, nhorman, nstielau, pkrupa, puebele, rhs-bugs, scuppett, security-response-team, sfowler, sisharma, sponnaga, storage-qa-internal, strigazi, sttts, surbania, tstclair, vbatts |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | kube-apiserver 1.17.3, kube-apiserver 1.16.7, kube-apiserver 1.15.10 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A denial of service vulnerability was found in the Kubernetes API server. This flaw allows a remote attacker to send repeated, crafted HTTP requests to exhaust available memory and cause a crash.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-04-01 22:31:50 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1798289, 1798290, 1798291, 1798292, 1798293, 1798294, 1798295, 1798296, 1798297, 1798298, 1798299, 1798300, 1798301, 1803090, 1803621, 1803622, 1803623, 1803624, 1803625, 1803626, 1816231, 1816232, 1816233, 1816234, 1816395, 1816396 | ||
| Bug Blocks: | 1796999 | ||
|
Description
Sam Fowler
2020-02-04 08:13:26 UTC
Kubernetes is embedded in the version of heketi shipped with Red Hat Gluster Storage 3. However, it does not use Kubernetes API server part and only uses client side bits. Acknowledgments: Name: Kubernetes Product Security Committee Upstream: Gus Lees (Amazon) Created kubernetes tracking bugs for this issue: Affects: fedora-all [bug 1816395] Created origin tracking bugs for this issue: Affects: fedora-all [bug 1816396] Mitigation: Prevent unauthenticated or unauthorized access to all APIs External References: https://groups.google.com/forum/#!topic/kubernetes-security-announce/2UOlsba2g0s https://github.com/kubernetes/kubernetes/issues/89378 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.3 Via RHSA-2020:0933 https://access.redhat.com/errata/RHSA-2020:0933 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-8552 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.2 Via RHSA-2020:1527 https://access.redhat.com/errata/RHSA-2020:1527 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.2 Via RHSA-2020:1526 https://access.redhat.com/errata/RHSA-2020:1526 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.2 Via RHSA-2020:2306 https://access.redhat.com/errata/RHSA-2020:2306 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2020:2992 https://access.redhat.com/errata/RHSA-2020:2992 |