Bugzilla – Bug 1127554
VUL-0: CVE-2019-1002100: kubernetes: v1.11.8, 1.12.6, 1.13.4 released to address medium severity CVE-2019-1002100
Last modified: 2020-10-21 09:22:46 UTC
via security announce list
Hello Kubernetes Community,
A denial of service vulnerability was reported in kube-apiserver in which
authorized users with API write permissions can cause the API server to
consume excessive resources while handling a write request. The issue is
medium severity and can be resolved by upgrading the kube-apiserver to
v1.11.8, v1.12.6, or v1.13.4.
Am I vulnerable?
The following versions of kube-apiserver are vulnerable:
How can I mitigate the vulnerability prior to upgrade?
Remove ‘patch’ permissions from untrusted users.
Users that are authorized to make patch requests to the Kubernetes API
Server can send a specially crafted patch of type “json-patch” (e.g.
`kubectl patch --type json` or `"Content-Type:
application/json-patch+json"`) that consumes excessive resources while
processing, causing a Denial of Service on the API Server. There is no
information disclosure or permission escalation associated with this
This issue is filed as CVE-2019-1002100. We have rated it as
(6.5, medium) See GitHub issue #74534
<https://github.com/kubernetes/kubernetes/issues/74534> for more details.
Thanks to Carl Henrik Lunde for reporting this problem. As a reminder, if
you find a security vulnerability in Kubernetes, please report it following
the security disclosure process
Thanks to Chao Xu and Jordan Liggitt for developing the fix, and thanks to
the patch release managers Aleksandra Malinowska, Timothy Pepper, Pengfei
Ni, and Anirudh Ramanathan for coordinating the releases.
-CJ Cullen on behalf of the Kubernetes Product Security Team
assigning to containers team so the bug squad leader triages this.
Vicente is the bug squad leader. Setting needinfo on him.
we decided to update k8s, here's the SR: https://build.suse.de/request/show/192971
is still being tracked as affected.