Bug 1816403 (CVE-2020-8551) - CVE-2020-8551 kubernetes: crafted requests to kubelet API allow for memory exhaustion
Summary: CVE-2020-8551 kubernetes: crafted requests to kubelet API allow for memory ex...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-8551
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 1816378 (view as bug list)
Depends On: 1816405 1816406 1816407 1816408 1816409 1816412 1816413 1816414 1816416 1816417 1816418 1816423 1816424 1816425 1816490
Blocks: 1796999
TreeView+ depends on / blocked
 
Reported: 2020-03-23 23:24 UTC by Sam Fowler
Modified: 2021-02-16 20:24 UTC (History)
29 users (show)

Fixed In Version: kubelet 1.17.3, kubelet 1.16.7, kubelet 1.15.10
Doc Type: If docs needed, set a value
Doc Text:
A denial of service flaw was found in Kubernetes' Kubelet API. A remote attacker can exploit this flaw by sending repeated, crafted HTTP requests to exhaust available memory and cause a crash.
Clone Of:
Environment:
Last Closed: 2020-04-07 16:31:58 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:1276 0 None None None 2020-04-07 13:02:54 UTC
Red Hat Product Errata RHSA-2020:1277 0 None None None 2020-04-08 07:14:55 UTC

Description Sam Fowler 2020-03-23 23:24:00 UTC
The Kubelet has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP read-only API typically served on port 10255, and the authenticated HTTPS API typically served on port 10250.

Comment 1 Sam Fowler 2020-03-23 23:24:29 UTC
Created kubernetes tracking bugs for this issue:

Affects: fedora-all [bug 1816405]


Created origin tracking bugs for this issue:

Affects: fedora-all [bug 1816406]

Comment 8 Sam Fowler 2020-03-24 05:55:23 UTC
Mitigation:

Prevent unauthenticated or unauthorized access to the Kubelet API

Comment 10 Sam Fowler 2020-03-24 06:54:27 UTC
Probably the reason kubelets before 1.15.0 are unaffected is the lack of this commit, which added kubelet http metrics:

https://github.com/kubernetes/kubernetes/commit/538cd87864ee18fa0ae31b20b39728ada6f2f9ba

Comparing against a 4.x cluster, 3.11 clusters do not have 'kubelet_http*' metrics available:

OCP 4.3:
$ curl -s -k <cert_creds> https://localhost:10250/metrics | grep kubelet_http
# HELP kubelet_http_inflight_requests [ALPHA] Number of the inflight http requests
# TYPE kubelet_http_inflight_requests gauge
kubelet_http_inflight_requests{long_running="false",method="GET",path="",server_type="readwrite"} 0
kubelet_http_inflight_requests{long_running="false",method="GET",path="metrics",server_type="readwrite"} 1
...

OCP 3.11:
$ curl -s -k <cert_creds>  https://localhost:10250/metrics | grep -kubelet_http
$

So I think it's safe to say OCP 3.11 is notaffected.

Comment 12 Ryan Phillips 2020-03-24 14:22:55 UTC
*** Bug 1816378 has been marked as a duplicate of this bug. ***

Comment 15 Sam Fowler 2020-03-30 04:13:52 UTC
Statement:

By default, OpenShift Container Platform does not allow unauthenticated access to the Kubelet API. OpenShift Container Platform versions before 4.2 are not affected by this vulnerability as they are based on earlier versions of Kubernetes which do not include metrics for the Kubelet HTTP server.

Comment 18 errata-xmlrpc 2020-04-07 13:02:53 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.3

Via RHSA-2020:1276 https://access.redhat.com/errata/RHSA-2020:1276

Comment 19 Product Security DevOps Team 2020-04-07 16:31:58 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-8551

Comment 20 errata-xmlrpc 2020-04-08 07:14:53 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.3

Via RHSA-2020:1277 https://access.redhat.com/errata/RHSA-2020:1277


Note You need to log in before you can comment on or make changes to this bug.