CVE-2019-1002100

via security announce list

Hello Kubernetes Community,

A denial of service vulnerability was reported in kube-apiserver in which
authorized users with API write permissions can cause the API server to
consume excessive resources while handling a write request. The issue is
medium severity and can be resolved by upgrading the kube-apiserver to
v1.11.8, v1.12.6, or v1.13.4.

Am I vulnerable?

The following versions of kube-apiserver are vulnerable:

   -

   v1.0.0-1.10.x
   -

   v1.11.0-1.11.7
   -

   v1.12.0-1.12.5
   -

   v1.13.0-1.13.3


How can I mitigate the vulnerability prior to upgrade?

Remove ‘patch’ permissions from untrusted users.

Vulnerability Details

Users that are authorized to make patch requests to the Kubernetes API
Server can send a specially crafted patch of type “json-patch” (e.g.
`kubectl patch --type json` or `"Content-Type:
application/json-patch+json"`) that consumes excessive resources while
processing, causing a Denial of Service on the API Server. There is no
information disclosure or permission escalation associated with this
vulnerability.

This issue is filed as CVE-2019-1002100. We have rated it as
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H>
(6.5, medium) See GitHub issue #74534
<https://github.com/kubernetes/kubernetes/issues/74534> for more details.

Thank you

Thanks to Carl Henrik Lunde for reporting this problem. As a reminder, if
you find a security vulnerability in Kubernetes, please report it following
the security disclosure process
<https://kubernetes.io/docs/reference/issues-security/security/#report-a-vulnerability>
.

Thanks to Chao Xu and Jordan Liggitt for developing the fix, and thanks to
the patch release managers Aleksandra Malinowska, Timothy Pepper, Pengfei
Ni, and Anirudh Ramanathan for coordinating the releases.

-CJ Cullen on behalf of the Kubernetes Product Security Team


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1002100