Описание
In all Kubernetes versions prior to v1.11.8, v1.12.6, and v1.13.4, users that are authorized to make patch requests to the Kubernetes API Server can send a specially crafted patch of type "json-patch" (e.g. kubectl patch --type json or "Content-Type: application/json-patch+json") that consumes excessive resources while processing, causing a Denial of Service on the API Server.
A denial of service vulnerability was found in the Kubernetes API server. A remote user, with authorization to apply patches, could exploit this via crafted JSON input, causing excessive consumption of resources and subsequent denial of service.
Отчет
This issue affects the Kubernetes API Server, shipped in OpenShift Container Platform versions 3.4 through 3.11 as part of the atomic-openshift package. Red Hat Product Security has rated this issue as having a security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Меры по смягчению последствий
Remove ‘patch’ permissions from untrusted users.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat OpenShift Container Platform 3.4 | atomic-openshift | Will not fix | ||
| Red Hat OpenShift Container Platform 3.5 | atomic-openshift | Will not fix | ||
| Red Hat OpenShift Container Platform 3.6 | atomic-openshift | Out of support scope | ||
| Red Hat OpenShift Container Platform 3.7 | atomic-openshift | Out of support scope | ||
| Red Hat OpenShift Container Platform 3.9 | atomic-openshift | Fix deferred | ||
| Red Hat OpenShift Container Platform 4 | openshift | Not affected | ||
| Red Hat Storage 3 | heketi | Affected | ||
| Red Hat OpenShift Container Platform 3.10 | atomic-openshift | Fixed | RHSA-2019:3239 | 29.10.2019 |
| Red Hat OpenShift Container Platform 3.11 | atomic-openshift | Fixed | RHSA-2019:1851 | 24.07.2019 |
| Red Hat OpenShift Container Platform 3.11 | jenkins-2-plugins | Fixed | RHSA-2019:1851 | 24.07.2019 |
Показывать по
Дополнительная информация
Статус:
EPSS
6.5 Medium
CVSS3
Связанные уязвимости
In all Kubernetes versions prior to v1.11.8, v1.12.6, and v1.13.4, users that are authorized to make patch requests to the Kubernetes API Server can send a specially crafted patch of type "json-patch" (e.g. `kubectl patch --type json` or `"Content-Type: application/json-patch+json"`) that consumes excessive resources while processing, causing a Denial of Service on the API Server.
In all Kubernetes versions prior to v1.11.8, v1.12.6, and v1.13.4, users that are authorized to make patch requests to the Kubernetes API Server can send a specially crafted patch of type "json-patch" (e.g. `kubectl patch --type json` or `"Content-Type: application/json-patch+json"`) that consumes excessive resources while processing, causing a Denial of Service on the API Server.
In all Kubernetes versions prior to v1.11.8, v1.12.6, and v1.13.4, use ...
Уязвимость программного средства управления кластерами виртуальных машин Kubernetes, связанная с неконтролируемым расходом ресурса, позволяющая нарушителю вызвать отказ в обслуживании
EPSS
6.5 Medium
CVSS3