Bug 1683190 (CVE-2019-1002100) - CVE-2019-1002100 kube-apiserver: DoS with crafted patch of type json-patch
Summary: CVE-2019-1002100 kube-apiserver: DoS with crafted patch of type json-patch
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-1002100
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1686287 1687690 1687691 1692239 1692240 1692241 1692242 1692243 1692244
Blocks: 1683193
TreeView+ depends on / blocked
 
Reported: 2019-02-26 12:29 UTC by Laura Pardo
Modified: 2019-11-04 19:41 UTC (History)
25 users (show)

Fixed In Version: kube-apiserver 1.11.8, kube-apiserver 1.12.6, kube-apiserver 1.13.4
Doc Type: If docs needed, set a value
Doc Text:
A denial of service vulnerability was found in the Kubernetes API server. A remote user, with authorization to apply patches, could exploit this via crafted JSON input, causing excessive consumption of resources and subsequent denial of service.
Clone Of:
Environment:
Last Closed: 2019-07-25 01:18:20 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:1851 None None None 2019-07-24 21:00:36 UTC
Red Hat Product Errata RHSA-2019:3239 None None None 2019-10-29 16:21:17 UTC

Description Laura Pardo 2019-02-26 12:29:37 UTC
A security issue was discovered in kube-apiserver versions before v1.11.8, v1.12.6, or v1.13.4. Users that are authorized to make patch requests to the Kubernetes API Server can send a specially crafted patch of type “json-patch” (e.g.`kubectl patch --type json` or `"Content-Type: application/json-patch+json"`) that consumes excessive resources while processing, causing a Denial of Service on the API Server.

Comment 2 Hardik Vyas 2019-03-04 13:22:19 UTC
Gluster ships kube-apiserver via heketi, however we don't use it to provision Gluster server hence the vulnerability is not exposed in a way that would be exploitable within Gluster. Affected as the kube-apiserver code shipped with heketi is unpatched but most likely wontfix thing.

Comment 3 Hardik Vyas 2019-03-04 13:22:21 UTC
External References:

https://groups.google.com/forum/#!topic/kubernetes-announce/vmUUNkYfG9g

Comment 4 Hardik Vyas 2019-03-04 13:22:23 UTC
Mitigation:

Remove ‘patch’ permissions from untrusted users.

Comment 5 Laura Pardo 2019-03-06 16:51:34 UTC
Acknowledgments:

Name: Carl Henrik Lunde

Comment 14 Sam Fowler 2019-03-25 07:12:51 UTC
Statement:

This issue affects the Kubernetes API Server, shipped in OpenShift Container Platform versions 3.4 through 3.11 as part of the atomic-openshift package. Red Hat Product Security has rated this issue as having a security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Comment 16 errata-xmlrpc 2019-07-24 21:00:35 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2019:1851 https://access.redhat.com/errata/RHSA-2019:1851

Comment 17 Product Security DevOps Team 2019-07-25 01:18:20 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-1002100

Comment 18 errata-xmlrpc 2019-10-29 16:21:13 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.10

Via RHSA-2019:3239 https://access.redhat.com/errata/RHSA-2019:3239


Note You need to log in before you can comment on or make changes to this bug.