A denial of service vulnerability was found in the kube-apiserver, allowing authorized users sending malicious YAML payloads to cause kube-apiserver to consume excessive CPU cycles while parsing YAML. Upstream Issue: https://github.com/kubernetes/kubernetes/issues/89535
External References: https://groups.google.com/forum/#!topic/kubernetes-security-announce/wuwEwZigXBc
Mitigation: Prevent unauthenticated or unauthorized access to the API server
Go yaml fix: https://github.com/go-yaml/yaml/pull/555
- openshift4/ose-openshift-state-metrics-rhel7 does not accept YAML payloads - openshift4/ose-k8s-prometheus-adapter only exposes a read-only API
Statement: The upstream Kubernetes fix for this vulnerability is to update the version of the Go dependency, gopkg.in/yaml.v2. This issue affects OpenShift Container Platform components that use versions before 2.2.8 of gopkg.in/yaml.v2 and accept YAML payloads.
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2020:2479 https://access.redhat.com/errata/RHSA-2020:2479
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-11254
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.5 Via RHSA-2020:2413 https://access.redhat.com/errata/RHSA-2020:2413
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.5 Via RHSA-2020:2412 https://access.redhat.com/errata/RHSA-2020:2412