Описание
A security issue was discovered in Kubernetes where a large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP endpoint may cause a Node Denial of Service by filling the Node's disk.
A flaw was found in Kubernetes. A large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP endpoint may fill the Node's disk, potentially leading to a Node denial of service.
Отчет
OpenShift is not impacted by this vulnerability since the kubelet's unauthenticated read-only port is not enabled in that product.
Меры по смягчению последствий
To mitigate this vulnerability, disable the kubelet read-only port by setting readOnlyPort: 0 in /var/lib/kubelet/config.yaml and restarting kubelet. Additionally, disable container checkpointing by setting ContainerCheckpoint: false under featureGates. If using CRI-O, ensure enable_criu_support=false is configured in /etc/crio/crio.conf.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Builds for Red Hat OpenShift | openshift-builds/openshift-builds-shared-resource-rhel9 | Affected | ||
| Builds for Red Hat OpenShift | openshift-builds/openshift-builds-shared-resource-webhook-rhel9 | Affected | ||
| cert-manager Operator for Red Hat OpenShift | cert-manager/cert-manager-operator-rhel9 | Affected | ||
| cert-manager Operator for Red Hat OpenShift | cert-manager/jetstack-cert-manager-acmesolver-rhel9 | Affected | ||
| cert-manager Operator for Red Hat OpenShift | cert-manager/jetstack-cert-manager-rhel9 | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/thanos-receive-controller-rhel9 | Not affected | ||
| Red Hat OpenShift Container Platform 4 | cri-tools | Will not fix | ||
| Red Hat OpenShift Container Platform 4 | openshift | Will not fix | ||
| Red Hat OpenShift Container Platform 4 | openshift4/cnf-tests-rhel8 | Will not fix | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ingress-node-firewall | Will not fix |
Показывать по
Дополнительная информация
Статус:
EPSS
6.2 Medium
CVSS3
Связанные уязвимости
A security issue was discovered in Kubernetes where a large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP endpoint may cause a Node Denial of Service by filling the Node's disk.
A security issue was discovered in Kubernetes where a large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP endpoint may cause a Node Denial of Service by filling the Node's disk.
A security issue was discovered in Kubernetes where a large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP endpoint may cause a Node Denial of Service by filling the Node's disk.
A security issue was discovered in Kubernetes where a large number of ...
Node Denial of Service via kubelet Checkpoint API
EPSS
6.2 Medium
CVSS3