Описание
The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP read-only API typically served on port 10255, and the authenticated HTTPS API typically served on port 10250.
A denial of service flaw was found in Kubernetes' Kubelet API. A remote attacker can exploit this flaw by sending repeated, crafted HTTP requests to exhaust available memory and cause a crash.
Отчет
By default, OpenShift Container Platform does not allow unauthenticated access to the Kubelet API. OpenShift Container Platform versions before 4.2 are not affected by this vulnerability as they are based on earlier versions of Kubernetes which do not include metrics for the Kubelet HTTP server.
Меры по смягчению последствий
Prevent unauthenticated or unauthorized access to the Kubelet API
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat OpenShift Container Platform 3.11 | atomic-openshift | Not affected | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-hypershift | Not affected | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-openshift-apiserver-rhel9 | Not affected | ||
| Red Hat Storage 3 | heketi | Not affected | ||
| Red Hat OpenShift Container Platform 4.3 | openshift | Fixed | RHSA-2020:1276 | 07.04.2020 |
| Red Hat OpenShift Container Platform 4.3 | openshift4/ose-hyperkube | Fixed | RHSA-2020:1277 | 08.04.2020 |
Показывать по
Дополнительная информация
Статус:
EPSS
4.3 Medium
CVSS3
Связанные уязвимости
The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP read-only API typically served on port 10255, and the authenticated HTTPS API typically served on port 10250.
The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP read-only API typically served on port 10255, and the authenticated HTTPS API typically served on port 10250.
The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1. ...
Allocation of Resources Without Limits or Throttling and Uncontrolled Memory Allocation in Kubernetes
EPSS
4.3 Medium
CVSS3