#VU31127 Resource exhaustion in Kubernetes - CVE-2019-1002100

Cybersecurity Help s.r.o.

Published: 2019-04-01 | Updated: 2020-07-17

Vulnerability identifier: #VU31127

Vulnerability risk: Medium

CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-1002100

CWE-ID: CWE-400

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Kubernetes
Server applications / Frameworks for developing and running applications

Vendor: Kubernetes

Description

The vulnerability allows a remote authenticated user to perform a denial of service (DoS) attack.

In all Kubernetes versions prior to v1.11.8, v1.12.6, and v1.13.4, users that are authorized to make patch requests to the Kubernetes API Server can send a specially crafted patch of type "json-patch" (e.g. `kubectl patch --type json` or `"Content-Type: application/json-patch+json"`) that consumes excessive resources while processing, causing a Denial of Service on the API Server.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Kubernetes: 1.13.0 alpha.1 - 1.13.3

External links
https://www.securityfocus.com/bid/107290
https://access.redhat.com/errata/RHSA-2019:1851
https://access.redhat.com/errata/RHSA-2019:3239
https://github.com/kubernetes/kubernetes/issues/74534
https://groups.google.com/forum/#!topic/kubernetes-announce/vmUUNkYfG9g
https://security.netapp.com/advisory/ntap-20190416-0002/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Cloud Pak for AIOps

Multiple vulnerabilities in IBM Observability with Instana

Red Hat OpenShift Container Platform 3.10 update for atomic-openshift

Resource exhaustion in Kubernetes Kubernetes