CVE-2020-8552: apiserver DoS (oom)

[tallclair]

CVSS Rating: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (Medium)

The Kubernetes API server has been found to be vulnerable to a denial of service attack via authorized API requests.

Am I vulnerable?

If an attacker that can make an authorized resource request to an unpatched API server (see below), then you are vulnerable to this. Prior to v1.14, this was possible via unauthenticated requests by default.

Affected Versions

• kube-apiserver v1.17.0 - v1.17.2
• kube-apiserver v1.16.0 - v1.16.6
• kube-apiserver < v1.15.10

How do I mitigate this vulnerability?

Prior to upgrading, this vulnerability can be mitigated by:

• Preventing unauthenticated or unauthorized access to all apis
• The apiserver should auto restart if it OOMs

Fixed Versions

• v1.17.3
• v1.16.7
• v1.15.10

To upgrade, refer to the documentation: https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster

Acknowledgements

This vulnerability was reported by: Gus Lees (Amazon)

/area security
/kind bug
/committee product-security
/sig api-machinery

[rata]

Is it possible to include a link to the PR/commit that fixed this?

[tallclair]

This was fixed by #87669

[ping035627]

This was fixed by #87673 in v1.17.3

[PushkarJ]

/label official-cve-feed

(Related to kubernetes/sig-security#1)