Bug 1127554 - (CVE-2019-1002100) VUL-0: CVE-2019-1002100: kubernetes: v1.11.8, 1.12.6, 1.13.4 released to address medium severity CVE-2019-1002100
VUL-0: CVE-2019-1002100: kubernetes: v1.11.8, 1.12.6, 1.13.4 released to addr...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2019-03-01 16:56 UTC by Marcus Meissner
Modified: 2020-10-21 09:22 UTC (History)
10 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2019-03-01 16:56:23 UTC

via security announce list

Hello Kubernetes Community,

A denial of service vulnerability was reported in kube-apiserver in which
authorized users with API write permissions can cause the API server to
consume excessive resources while handling a write request. The issue is
medium severity and can be resolved by upgrading the kube-apiserver to
v1.11.8, v1.12.6, or v1.13.4.

Am I vulnerable?

The following versions of kube-apiserver are vulnerable:






How can I mitigate the vulnerability prior to upgrade?

Remove ‘patch’ permissions from untrusted users.

Vulnerability Details

Users that are authorized to make patch requests to the Kubernetes API
Server can send a specially crafted patch of type “json-patch” (e.g.
`kubectl patch --type json` or `"Content-Type:
application/json-patch+json"`) that consumes excessive resources while
processing, causing a Denial of Service on the API Server. There is no
information disclosure or permission escalation associated with this

This issue is filed as CVE-2019-1002100. We have rated it as
(6.5, medium) See GitHub issue #74534
<https://github.com/kubernetes/kubernetes/issues/74534> for more details.

Thank you

Thanks to Carl Henrik Lunde for reporting this problem. As a reminder, if
you find a security vulnerability in Kubernetes, please report it following
the security disclosure process

Thanks to Chao Xu and Jordan Liggitt for developing the fix, and thanks to
the patch release managers Aleksandra Malinowska, Timothy Pepper, Pengfei
Ni, and Anirudh Ramanathan for coordinating the releases.

-CJ Cullen on behalf of the Kubernetes Product Security Team

Comment 1 Jordi Massaguer 2019-03-18 18:43:19 UTC
assigning to containers team so the bug squad leader triages this.
Comment 2 Jordi Massaguer 2019-03-18 18:46:08 UTC
Vicente is the bug squad leader. Setting needinfo on him.
Comment 3 Maximilian Meister 2019-05-20 11:20:12 UTC
we decided to update k8s, here's the SR: https://build.suse.de/request/show/192971
Comment 4 Wolfgang Frisch 2019-11-07 14:15:30 UTC
is still being tracked as affected.
Comment 5 Alexandros Toptsoglou 2020-07-13 12:53:54 UTC