Executive Summary: Two severe vulnerabilities allowing for easy Denial of Service attacks against almost all versions of Kubernetes clusters have been released this week as part of a set of HTTP/2 implementation vulnerabilities.
Kubernetes is an open-source container-orchestration system – analogous to lightweight virtual machines, with less of a requirement for isolation from the host operating system, that cater for large-scale production development and deployment of applications. It relies upon the /x/net Go package for HTTP and HTTPS listeners allowing for untrusted clients to allocate an unlimited amount of memory, until the server crashes.
A series of flaws in the queuing system of various HTTP/2 implementations, such as the Go language /x/net package, allows for malicious users to send repeated pings (CVE-2019-9512) or invalid requests that should solicit RST-STREAM frames (CVE-2019-9514) in order to consume excess server resources, leading to a denial of service.
Detect: Any Kubernetes cluster with an HTTP(S) listener running in any pod with a cluster version in the affected products below.
Kubernetes v1.16.x <= v1.16.0-alpha.3
Kubernetes v1.15.x <= v1.15.2
Kubernetes v1.14.x <= v1.14.5
Kubernetes <= v1.13.9
Prevent: Due to the potential impact of a denial of service attack, and the relatively low technical ability required to exploit CVE-2019-9512 and CVE-2019-9514, we recommend updating your Kubernetes clusters to the latest version of your stream:
- v1.16 – v1.16.0-alpha.4
- v1.15 – v1.15.3
- v1.14 – v1.14.6
- <v1.13 – v1.13.10
React: Instructions on how to upgrade your Kubernetes Cluster:
- Azure Kubernetes Service (AKS)
- Google Compute Engine Clusters
- Google Kubernetes Engine Clusters
- Oracle Cloud Infrastructure Container Engine for Kubernetes (OKE) Cluster
- CoreOS Tectonic
- Digital Rebar