oss-security - CVE-2020-8551, CVE-2020-8552: Kubernetes: Denial of service

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [day] [month] [year] [list]

Message-ID: <CADtktAU1jq56ag08PGjW4YiABqsNi6ptkb8E4c2iR7P4jFNhew@mail.gmail.com>
Date: Mon, 23 Mar 2020 11:37:19 -0700
From: Tim Allclair <tallclair@...gle.com>
To: kubernetes-announce@...glegroups.com, 
	"Kubernetes developer/contributor discussion" <kubernetes-dev@...glegroups.com>, 
	kubernetes-security-announce@...glegroups.com, 
	kubernetes-security-discuss <kubernetes-security-discuss@...glegroups.com>, 
	oss-security@...ts.openwall.com, kubernetes+announcements@...coursemail.com
Subject: CVE-2020-8551, CVE-2020-8552: Kubernetes: Denial of service

Hello Kubernetes Community,

Two security issues were discovered in Kubernetes that could lead to a
recoverable denial of service.

*CVE-2020-8551* affects the kubelet, and has been rated *Medium *(
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L>
).

*CVE-2020-8552* affects the API server, and has also been rated *Medium* (
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L>
).
<https://github.com/kubernetes/security/blob/master/comms-temlpates/vulnerability-announcement-email.md#am-i-vulnerable>Am
I vulnerable?
If an attacker can make an authorized resource request to an unpatched API
server (see below), then you may be vulnerable to CVE-2020-8552. If an
attacker can make an authorized request to an unpatched kubelet, then you
may be vulnerable to CVE-2020-8551.
<https://github.com/kubernetes/security/blob/master/comms-temlpates/vulnerability-announcement-email.md#affected-versions>Affected
Versions
CVE-2020-8551 affects:

   - kubelet v1.17.0 - v1.17.2
   - kubelet v1.16.0 - v1.16.6
   - kubelet v1.15.0 - v1.15.10\
   - *kubelets prior to v1.15.0 are unaffected*

CVE-2020-8552 affects:

   - kube-apiserver v1.17.0 - v1.17.2
   - kube-apiserver v1.16.0 - v1.16.6
   - kube-apiserver < v1.15.10

<https://github.com/kubernetes/security/blob/master/comms-temlpates/vulnerability-announcement-email.md#how-do-i-mitigate-this-vulnerability>How
do I mitigate this vulnerability?

Prior to upgrading, these vulnerabilities can be mitigated by:

   - Preventing unauthenticated or unauthorized access to the affected
   components
   - The apiserver and kubelet should auto restart in the event of an OOM
   error

<https://github.com/kubernetes/security/blob/master/comms-temlpates/vulnerability-announcement-email.md#fixed-versions>Fixed
Versions
Both vulnerabilities are patched in kubernetes versions

   - v1.17.3
   - v1.16.7
   - v1.15.10

To upgrade, refer to the documentation:
https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster
<https://github.com/kubernetes/security/blob/master/comms-temlpates/vulnerability-announcement-email.md#addiitonal-details>Additional
Details

See the GitHub issues for more details:

CVE-2020-8551: https://github.com/kubernetes/kubernetes/issues/89377
CVE-2020-8552: https://github.com/kubernetes/kubernetes/issues/89378

Thank You,

Tim Allclair on behalf of the Kubernetes Product Security Committee

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.