Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2020-8551: Kubelet DoS via API #89377

Closed
tallclair opened this issue Mar 23, 2020 · 7 comments
Closed

CVE-2020-8551: Kubelet DoS via API #89377

tallclair opened this issue Mar 23, 2020 · 7 comments
Labels
area/kubelet area/security committee/security-response Denotes an issue or PR intended to be handled by the product security committee. kind/bug Categorizes issue or PR as related to a bug. official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) sig/node Categorizes an issue or PR as relevant to SIG Node.

Comments

@tallclair
Copy link
Member

tallclair commented Mar 23, 2020

CVSS Rating: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (Medium)

The Kubelet has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP read-only API typically served on port 10255, and the authenticated HTTPS API typically served on port 10250.

Am I vulnerable?

If an attacker can make a request to an unpatched kubelet, then you may be vulnerable to this.

Affected Versions

  • kubelet v1.17.0 - v1.17.2
  • kubelet v1.16.0 - v1.16.6
  • kubelet v1.15.0 - v1.15.9

How do I mitigate this vulnerability?

Limit access to the Kubelet API or patch the Kubelet.

Fixed Versions

  • v1.17.3
  • v1.16.7
  • v1.15.10

To upgrade, refer to the documentation: https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster

Acknowledgements

This vulnerability was reported by: Henrik Schmidt

/area security
/kind bug
/committee product-security
/sig node
/area kubelet

@k8s-ci-robot k8s-ci-robot added area/security kind/bug Categorizes issue or PR as related to a bug. committee/security-response Denotes an issue or PR intended to be handled by the product security committee. sig/node Categorizes an issue or PR as relevant to SIG Node. area/kubelet labels Mar 23, 2020
@dharmab
Copy link
Contributor

dharmab commented Mar 23, 2020

Is v1.15.10 the affected version or the fixed version? It's listed under both.

@tallclair
Copy link
Member Author

Sorry, 1.15.10 is fixed.

@fisherxu
Copy link
Contributor

Do we have relevant PR here?

@yanghaichao12
Copy link
Contributor

@tallclair would you tell where is the pr, thx

@tallclair
Copy link
Member Author

This was fixed by #87913

@yanghaichao12
Copy link
Contributor

@tallclair thank you

@PushkarJ
Copy link
Member

PushkarJ commented Dec 2, 2021

/label official-cve-feed

(Related to kubernetes/sig-security#1)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/kubelet area/security committee/security-response Denotes an issue or PR intended to be handled by the product security committee. kind/bug Categorizes issue or PR as related to a bug. official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) sig/node Categorizes an issue or PR as relevant to SIG Node.
Projects
None yet
Development

No branches or pull requests

6 participants