Bug 1816403 (CVE-2020-8551)
| Summary: | CVE-2020-8551 kubernetes: crafted requests to kubelet API allow for memory exhaustion | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Sam Fowler <sfowler> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | admiller, aos-bugs, bmontgom, eparis, go-sig, hchiramm, hvyas, ichavero, jbrooks, jburrell, jcajka, jchaloup, jmulligan, jokerman, madam, mfojtik, nhorman, nstielau, puebele, rhs-bugs, rphillips, sfowler, sponnaga, storage-qa-internal, strigazi, sttts, tstclair, vbatts, vbellur |
| Target Milestone: | --- | Keywords: | Reopened, Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | kubelet 1.17.3, kubelet 1.16.7, kubelet 1.15.10 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A denial of service flaw was found in Kubernetes' Kubelet API. A remote attacker can exploit this flaw by sending repeated, crafted HTTP requests to exhaust available memory and cause a crash.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-04-07 16:31:58 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1816405, 1816406, 1816407, 1816408, 1816409, 1816412, 1816413, 1816414, 1816416, 1816417, 1816418, 1816423, 1816424, 1816425, 1816490 | ||
| Bug Blocks: | 1796999 | ||
|
Description
Sam Fowler
2020-03-23 23:24:00 UTC
Created kubernetes tracking bugs for this issue: Affects: fedora-all [bug 1816405] Created origin tracking bugs for this issue: Affects: fedora-all [bug 1816406] Mitigation: Prevent unauthenticated or unauthorized access to the Kubelet API Probably the reason kubelets before 1.15.0 are unaffected is the lack of this commit, which added kubelet http metrics: https://github.com/kubernetes/kubernetes/commit/538cd87864ee18fa0ae31b20b39728ada6f2f9ba Comparing against a 4.x cluster, 3.11 clusters do not have 'kubelet_http*' metrics available: OCP 4.3: $ curl -s -k <cert_creds> https://localhost:10250/metrics | grep kubelet_http # HELP kubelet_http_inflight_requests [ALPHA] Number of the inflight http requests # TYPE kubelet_http_inflight_requests gauge kubelet_http_inflight_requests{long_running="false",method="GET",path="",server_type="readwrite"} 0 kubelet_http_inflight_requests{long_running="false",method="GET",path="metrics",server_type="readwrite"} 1 ... OCP 3.11: $ curl -s -k <cert_creds> https://localhost:10250/metrics | grep -kubelet_http $ So I think it's safe to say OCP 3.11 is notaffected. *** Bug 1816378 has been marked as a duplicate of this bug. *** External References: https://groups.google.com/forum/#!topic/kubernetes-security-announce/2UOlsba2g0s https://github.com/kubernetes/kubernetes/issues/89377 Statement: By default, OpenShift Container Platform does not allow unauthenticated access to the Kubelet API. OpenShift Container Platform versions before 4.2 are not affected by this vulnerability as they are based on earlier versions of Kubernetes which do not include metrics for the Kubelet HTTP server. This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.3 Via RHSA-2020:1276 https://access.redhat.com/errata/RHSA-2020:1276 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-8551 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.3 Via RHSA-2020:1277 https://access.redhat.com/errata/RHSA-2020:1277 |