Bug 1683190 (CVE-2019-1002100) - CVE-2019-1002100 kube-apiserver: DoS with crafted patch of type json-patch
Summary: CVE-2019-1002100 kube-apiserver: DoS with crafted patch of type json-patch
Alias: CVE-2019-1002100
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1686287 1687690 1687691 1692239 1692240 1692241 1692242 1692243 1692244
Blocks: 1683193
TreeView+ depends on / blocked
Reported: 2019-02-26 12:29 UTC by Laura Pardo
Modified: 2021-02-16 22:20 UTC (History)
29 users (show)

Fixed In Version: kube-apiserver 1.11.8, kube-apiserver 1.12.6, kube-apiserver 1.13.4
Doc Type: If docs needed, set a value
Doc Text:
A denial of service vulnerability was found in the Kubernetes API server. A remote user, with authorization to apply patches, could exploit this via crafted JSON input, causing excessive consumption of resources and subsequent denial of service.
Clone Of:
Last Closed: 2019-07-25 01:18:20 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:1851 0 None None None 2019-07-24 21:00:36 UTC
Red Hat Product Errata RHSA-2019:3239 0 None None None 2019-10-29 16:21:17 UTC

Description Laura Pardo 2019-02-26 12:29:37 UTC
A security issue was discovered in kube-apiserver versions before v1.11.8, v1.12.6, or v1.13.4. Users that are authorized to make patch requests to the Kubernetes API Server can send a specially crafted patch of type “json-patch” (e.g.`kubectl patch --type json` or `"Content-Type: application/json-patch+json"`) that consumes excessive resources while processing, causing a Denial of Service on the API Server.

Comment 2 Hardik Vyas 2019-03-04 13:22:19 UTC
Gluster ships kube-apiserver via heketi, however we don't use it to provision Gluster server hence the vulnerability is not exposed in a way that would be exploitable within Gluster. Affected as the kube-apiserver code shipped with heketi is unpatched but most likely wontfix thing.

Comment 3 Hardik Vyas 2019-03-04 13:22:21 UTC
External References:


Comment 4 Hardik Vyas 2019-03-04 13:22:23 UTC

Remove ‘patch’ permissions from untrusted users.

Comment 5 Laura Pardo 2019-03-06 16:51:34 UTC

Name: Carl Henrik Lunde

Comment 14 Sam Fowler 2019-03-25 07:12:51 UTC

This issue affects the Kubernetes API Server, shipped in OpenShift Container Platform versions 3.4 through 3.11 as part of the atomic-openshift package. Red Hat Product Security has rated this issue as having a security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Comment 16 errata-xmlrpc 2019-07-24 21:00:35 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2019:1851 https://access.redhat.com/errata/RHSA-2019:1851

Comment 17 Product Security DevOps Team 2019-07-25 01:18:20 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Comment 18 errata-xmlrpc 2019-10-29 16:21:13 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.10

Via RHSA-2019:3239 https://access.redhat.com/errata/RHSA-2019:3239

Note You need to log in before you can comment on or make changes to this bug.