Bug 1683190 (CVE-2019-1002100) - CVE-2019-1002100 kube-apiserver: DoS with crafted patch of type json-patch
Summary: CVE-2019-1002100 kube-apiserver: DoS with crafted patch of type json-patch
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-1002100
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1686287 1687690 1687691 1692239 1692240 1692241 1692242 1692243 1692244
Blocks: 1683193
TreeView+ depends on / blocked
 
Reported: 2019-02-26 12:29 UTC by Laura Pardo
Modified: 2021-02-16 22:20 UTC (History)
29 users (show)

Fixed In Version: kube-apiserver 1.11.8, kube-apiserver 1.12.6, kube-apiserver 1.13.4
Doc Type: If docs needed, set a value
Doc Text:
A denial of service vulnerability was found in the Kubernetes API server. A remote user, with authorization to apply patches, could exploit this via crafted JSON input, causing excessive consumption of resources and subsequent denial of service.
Clone Of:
Environment:
Last Closed: 2019-07-25 01:18:20 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:1851 0 None None None 2019-07-24 21:00:36 UTC
Red Hat Product Errata RHSA-2019:3239 0 None None None 2019-10-29 16:21:17 UTC

Description Laura Pardo 2019-02-26 12:29:37 UTC 
A security issue was discovered in kube-apiserver versions before v1.11.8, v1.12.6, or v1.13.4. Users that are authorized to make patch requests to the Kubernetes API Server can send a specially crafted patch of type “json-patch” (e.g.`kubectl patch --type json` or `"Content-Type: application/json-patch+json"`) that consumes excessive resources while processing, causing a Denial of Service on the API Server.
Comment 1 Laura Pardo 2019-03-01 20:22:29 UTC 
References:
https://groups.google.com/forum/#!topic/kubernetes-announce/vmUUNkYfG9g
https://github.com/kubernetes/kubernetes/issues/74534

Upstream Patch:
https://github.com/kubernetes/kubernetes/pull/74000
Comment 2 Hardik Vyas 2019-03-04 13:22:19 UTC 
Gluster ships kube-apiserver via heketi, however we don't use it to provision Gluster server hence the vulnerability is not exposed in a way that would be exploitable within Gluster. Affected as the kube-apiserver code shipped with heketi is unpatched but most likely wontfix thing.
Comment 3 Hardik Vyas 2019-03-04 13:22:21 UTC 
External References:

https://groups.google.com/forum/#!topic/kubernetes-announce/vmUUNkYfG9g
Comment 4 Hardik Vyas 2019-03-04 13:22:23 UTC 
Mitigation:

Remove ‘patch’ permissions from untrusted users.
Comment 5 Laura Pardo 2019-03-06 16:51:34 UTC 
Acknowledgments:

Name: Carl Henrik Lunde
Comment 11 Sam Fowler 2019-03-25 07:00:56 UTC 
Upstream Patches:

https://github.com/kubernetes/kubernetes/commit/8a2d338b (1.11.8)
https://github.com/kubernetes/kubernetes/commit/8a09eb39 (1.12.6)
https://github.com/kubernetes/kubernetes/commit/de5b047e (1.13.3)
Comment 14 Sam Fowler 2019-03-25 07:12:51 UTC 
Statement:

This issue affects the Kubernetes API Server, shipped in OpenShift Container Platform versions 3.4 through 3.11 as part of the atomic-openshift package. Red Hat Product Security has rated this issue as having a security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Comment 16 errata-xmlrpc 2019-07-24 21:00:35 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2019:1851 https://access.redhat.com/errata/RHSA-2019:1851
Comment 17 Product Security DevOps Team 2019-07-25 01:18:20 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-1002100
Comment 18 errata-xmlrpc 2019-10-29 16:21:13 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.10

Via RHSA-2019:3239 https://access.redhat.com/errata/RHSA-2019:3239
Note You need to log in before you can comment on or make changes to this bug.