Описание
A security issue was discovered in Kubernetes where a large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP endpoint may cause a Node Denial of Service by filling the Node's disk.
A flaw was found in Kubernetes. A large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP endpoint may fill the Node's disk, potentially leading to a Node denial of service.
Отчет
OpenShift is not impacted by this vulnerability since the kubelet's unauthenticated read-only port is not enabled in that product. Within regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-400: Uncontrolled Resource Consumption vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low. Red Hat restricts access to all platform information by default, granting access only after successful hard token-based multi-factor authentication (MFA) and enforcing least privilege to ensure only authorized roles can execute or modify code. The environment employs malicious code protections, including IDS/IPS and antimalware tools to detect threats and monitor resource usage, helping prevent uncontrolled consumption that could lead to system failure. Additional safeguards, such as web application firewalls and load-balancing strategies, protect against resource exhaustion and performance degradation. Event logs are centrally collected, correlated, and analyzed to support monitoring, alerting, and retention, aiding in the detection of abnormal behavior and potential denial-of-service (DoS) conditions. Static code analysis and peer reviews enforce strong input validation and error handling, reducing the likelihood of input-based DoS attacks.
Меры по смягчению последствий
To mitigate this vulnerability, disable the kubelet read-only port by setting readOnlyPort: 0 in /var/lib/kubelet/config.yaml and restarting kubelet. Additionally, disable container checkpointing by setting ContainerCheckpoint: false under featureGates. If using CRI-O, ensure enable_criu_support=false is configured in /etc/crio/crio.conf.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Builds for Red Hat OpenShift | openshift-builds/openshift-builds-shared-resource-rhel9 | Affected | ||
| Builds for Red Hat OpenShift | openshift-builds/openshift-builds-shared-resource-webhook-rhel9 | Affected | ||
| cert-manager Operator for Red Hat OpenShift | cert-manager/cert-manager-operator-rhel9 | Affected | ||
| cert-manager Operator for Red Hat OpenShift | cert-manager/jetstack-cert-manager-acmesolver-rhel9 | Affected | ||
| cert-manager Operator for Red Hat OpenShift | cert-manager/jetstack-cert-manager-rhel9 | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/thanos-receive-controller-rhel8 | Not affected | ||
| Red Hat OpenShift Container Platform 4 | cri-tools | Will not fix | ||
| Red Hat OpenShift Container Platform 4 | csi-driver-nfs-container | Will not fix | ||
| Red Hat OpenShift Container Platform 4 | openshift | Will not fix | ||
| Red Hat OpenShift Container Platform 4 | openshift4/cnf-tests-rhel8 | Will not fix |
Показывать по
Дополнительная информация
Статус:
EPSS
6.2 Medium
CVSS3
Связанные уязвимости
A security issue was discovered in Kubernetes where a large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP endpoint may cause a Node Denial of Service by filling the Node's disk.
A security issue was discovered in Kubernetes where a large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP endpoint may cause a Node Denial of Service by filling the Node's disk.
A security issue was discovered in Kubernetes where a large number of ...
EPSS
6.2 Medium
CVSS3