Описание
Kubernetes apimachinery packages vulnerable to unbounded recursion in JSON or YAML parsing
CVE-2019-11253 is a denial of service vulnerability in the kube-apiserver, allowing authorized users sending malicious YAML or JSON payloads to cause kube-apiserver to consume excessive CPU or memory, potentially crashing and becoming unavailable.
When creating a ConfigMap object which has recursive references contained in it, excessive CPU usage can occur. This appears to be an instance of a "Billion Laughs" attack which is quite well known as an XML parsing issue.
Applying this manifest to a cluster causes the client to hang for some time with considerable CPU usage.
Specific Go Packages Affected
- k8s.io/apimachinery/pkg/runtime/serializer/json
- k8s.io/apimachinery/pkg/util/json
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2019-11253
- https://github.com/kubernetes/kubernetes/issues/83253
- https://github.com/kubernetes/kubernetes/pull/83261
- https://github.com/advisories/GHSA-pmqp-h87c-mr78
- https://groups.google.com/g/kubernetes-security-announce/c/jk8polzSUxs
- https://pkg.go.dev/vuln/GO-2022-0965
- https://stackoverflow.com/questions/58129150/security-yaml-bomb-user-can-restart-kube-api-by-sending-configmap
Пакеты
k8s.io/apimachinery
< 0.0.0-20190927203648-9ce6eca90e73
0.0.0-20190927203648-9ce6eca90e73
7.5 High
CVSS3
Дефекты
7.5 High
CVSS3