This morning, a new security issue that affects nearly every version of Kubernetes was disclosed by the Kubernetes Product Security Team (CVE-2019-1002100). It is medium severity, and Kubernetes administrators are advised to first check and limit role-based permissions on Kubernetes users. Container infrastructure maintainers should subsequently consider upgrading the Kubernetes API server to a recently patched version.
Vulnerability Summary
CVE-2019-1002100 is a denial of service (DoS) vulnerability that exists in the Kubernetes API server, allowing users with certain write permissions on the Kubernetes API to make write requests that cause the API server to utilize excessive resources.
Kubernetes Versions Impacted
All major versions of Kubernetes (v1.0-1.13) are impacted, making the scope of this vulnerability significant. However, as subsequently described, the circumstances under which this vulnerability can be exploited are limited.
Analysis
A malicious user seeking to exploit this vulnerability would need to send a specially crafted patch request of type “json-patch” to the API server. To do so requires that the user be granted permissions to make patch requests (e.g., they can run ‘kubectl patch’) in the first place. Therefore, Kubernetes administrators can immediately mitigate this vulnerability simply by configuring Kubernetes role-based access controls (RBAC) to control that the only users who have permissions to make patch requests are trusted users. Patched versions of kube-apiserver now limit the number of operations for single patch requests of type “json-patch”.
The severity of this vulnerability is further limited since it involves no privilege escalation. As we have observed previously, however, vulnerabilities associated with misconfigured RBAC settings can unnecessarily put organizations at risk. Proper RBAC configuration is one of several security best practices that everyone must follow and the key step to immediately mitigating today’s newly reported vulnerability.
Recommendations
Kubernetes administrators should limit the users who have the ability to make patch requests to the Kubernetes API server. If you have granted patch privileges only to trusted users, then you should simply be aware of this vulnerability. Container infrastructure maintainers should evaluate when to upgrade to one of the following patched Kubernetes versions: v1.11.8, v1.12.6, or v1.13.4.