Bug 1797909 (CVE-2020-8552) - CVE-2020-8552 kubernetes: Use of unbounded 'client' label in apiserver_request_total allows for memory exhaustion
Summary: CVE-2020-8552 kubernetes: Use of unbounded 'client' label in apiserver_reques...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-8552
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1798289 1798290 1798291 1798292 1798293 1798294 1798295 1798296 1798297 1798298 1798299 1798300 1798301 1803090 1803621 1803622 1803623 1803624 1803625 1803626 1816231 1816232 1816233 1816234 1816395 1816396
Blocks: 1796999
TreeView+ depends on / blocked
 
Reported: 2020-02-04 08:13 UTC by Sam Fowler
Modified: 2021-02-16 20:40 UTC (History)
41 users (show)

Fixed In Version: kube-apiserver 1.17.3, kube-apiserver 1.16.7, kube-apiserver 1.15.10
Doc Type: If docs needed, set a value
Doc Text:
A denial of service vulnerability was found in the Kubernetes API server. This flaw allows a remote attacker to send repeated, crafted HTTP requests to exhaust available memory and cause a crash.
Clone Of:
Environment:
Last Closed: 2020-04-01 22:31:50 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:0933 0 None None None 2020-04-01 18:50:55 UTC
Red Hat Product Errata RHSA-2020:1526 0 None None None 2020-04-22 05:16:10 UTC
Red Hat Product Errata RHSA-2020:1527 0 None None None 2020-04-22 04:57:39 UTC
Red Hat Product Errata RHSA-2020:2306 0 None None None 2020-06-03 09:33:54 UTC
Red Hat Product Errata RHSA-2020:2992 0 None None None 2020-07-27 18:49:35 UTC

Description Sam Fowler 2020-02-04 08:13:26 UTC 
A flaw was found in the Kubernetes API server that allows for memory exhaustion and subsequent denial of service. A label in a Kubernetes apiserver metric that reflects the client's user agent is included for debugging purposes, but every value added adds a sustained memory overhead as the metric is now tracked. This is particularly dangerous on commonly unauthenticated APIs (selfsubjectaccessreview for example) and can be performed by any authenticated user.


Upstream Fixes:

1.18: https://github.com/kubernetes/kubernetes/pull/87669
1.17: https://github.com/kubernetes/kubernetes/pull/87673
1.16: https://github.com/kubernetes/kubernetes/pull/87681
1.15: https://github.com/kubernetes/kubernetes/pull/87682
Comment 4 Hardik Vyas 2020-02-07 13:38:15 UTC 
Kubernetes is embedded in the version of heketi shipped with Red Hat Gluster Storage 3. However, it does not use Kubernetes API server part and only uses client side bits.
Comment 13 Sam Fowler 2020-03-19 23:05:46 UTC 
Acknowledgments:

Name: Kubernetes Product Security Committee
Upstream: Gus Lees (Amazon)
Comment 16 Sam Fowler 2020-03-23 22:45:50 UTC 
Created kubernetes tracking bugs for this issue:

Affects: fedora-all [bug 1816395]


Created origin tracking bugs for this issue:

Affects: fedora-all [bug 1816396]
Comment 18 Sam Fowler 2020-03-24 05:54:45 UTC 
Mitigation:

Prevent unauthenticated or unauthorized access to all APIs
Comment 19 Sam Fowler 2020-03-25 07:55:55 UTC 
External References:

https://groups.google.com/forum/#!topic/kubernetes-security-announce/2UOlsba2g0s
https://github.com/kubernetes/kubernetes/issues/89378
Comment 20 errata-xmlrpc 2020-04-01 18:50:52 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.3

Via RHSA-2020:0933 https://access.redhat.com/errata/RHSA-2020:0933
Comment 21 Product Security DevOps Team 2020-04-01 22:31:50 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-8552
Comment 22 errata-xmlrpc 2020-04-22 04:57:37 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.2

Via RHSA-2020:1527 https://access.redhat.com/errata/RHSA-2020:1527
Comment 23 errata-xmlrpc 2020-04-22 05:16:08 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.2

Via RHSA-2020:1526 https://access.redhat.com/errata/RHSA-2020:1526
Comment 24 errata-xmlrpc 2020-06-03 09:33:49 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.2

Via RHSA-2020:2306 https://access.redhat.com/errata/RHSA-2020:2306
Comment 29 errata-xmlrpc 2020-07-27 18:49:33 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2020:2992 https://access.redhat.com/errata/RHSA-2020:2992
Note You need to log in before you can comment on or make changes to this bug.