Priority: High
Executive Summary: Two severe vulnerabilities allowing for easy Denial of Service attacks against almost all versions of Kubernetes clusters have been released this week as part of a set of HTTP/2 implementation vulnerabilities.
Kubernetes is an open-source container-orchestration system – analogous to lightweight virtual machines, with less of a requirement for isolation from the host operating system, that cater for large-scale production development and deployment of applications. It relies upon the /x/net Go package for HTTP and HTTPS listeners allowing for untrusted clients to allocate an unlimited amount of memory, until the server crashes.
A series of flaws in the queuing system of various HTTP/2 implementations, such as the Go language /x/net package, allows for malicious users to send repeated pings (CVE-2019-9512) or invalid requests that should solicit RST-STREAM frames (CVE-2019-9514) in order to consume excess server resources, leading to a denial of service.
Detect: Any Kubernetes cluster with an HTTP(S) listener running in any pod with a cluster version in the affected products below.
Affected Products:
Kubernetes v1.16.x <= v1.16.0-alpha.3
Kubernetes v1.15.x <= v1.15.2
Kubernetes v1.14.x <= v1.14.5
Kubernetes <= v1.13.9
Prevent: Due to the potential impact of a denial of service attack, and the relatively low technical ability required to exploit CVE-2019-9512 and CVE-2019-9514, we recommend updating your Kubernetes clusters to the latest version of your stream:
- v1.16 – v1.16.0-alpha.4
- v1.15 – v1.15.3
- v1.14 – v1.14.6
- <v1.13 – v1.13.10
React: Instructions on how to upgrade your Kubernetes Cluster:
- Azure Kubernetes Service (AKS)
- Google Compute Engine Clusters
- Google Kubernetes Engine Clusters
- Oracle Cloud Infrastructure Container Engine for Kubernetes (OKE) Cluster
- Kops
- Kubespray
- CoreOS Tectonic
- Digital Rebar
Sources:
[1] https://nvd.nist.gov/vuln/detail/CVE-2019-9514
[2] https://nvd.nist.gov/vuln/detail/CVE-2019-9512
[3] https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.16
[4] https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.15.md#other-notable-changes
[5] https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.14.md#other-notable-changes
[6] https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.13.md#other-notable-changes
[7] https://kubernetes.io/docs/concepts/overview/what-is-kubernetes/
[8] https://www.bleepingcomputer.com/news/security/severe-flaws-in-kubernetes-expose-all-servers-to-dos-attacks/
[9] https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster