KUBERNETES DENIAL OF SERVICE VULNERABILITIES (CVE-2019-9512, CVE-2019-9514)

Priority: High

Executive Summary: Two severe vulnerabilities allowing for easy Denial of Service attacks against almost all versions of Kubernetes clusters have been released this week as part of a set of HTTP/2 implementation vulnerabilities.

Kubernetes is an open-source container-orchestration system – analogous to lightweight virtual machines, with less of a requirement for isolation from the host operating system, that cater for large-scale production development and deployment of applications. It relies upon the /x/net Go package for HTTP and HTTPS listeners allowing for untrusted clients to allocate an unlimited amount of memory, until the server crashes.

A series of flaws in the queuing system of various HTTP/2 implementations, such as the Go language /x/net package, allows for malicious users to send repeated pings (CVE-2019-9512) or invalid requests that should solicit RST-STREAM frames (CVE-2019-9514) in order to consume excess server resources, leading to a denial of service.

Detect: Any Kubernetes cluster with an HTTP(S) listener running in any pod with a cluster version in the affected products below.

Affected Products:

Kubernetes v1.16.x <= v1.16.0-alpha.3
Kubernetes v1.15.x <= v1.15.2
Kubernetes v1.14.x <= v1.14.5
Kubernetes <= v1.13.9

Prevent: Due to the potential impact of a denial of service attack, and the relatively low technical ability required to exploit CVE-2019-9512 and CVE-2019-9514, we recommend updating your Kubernetes clusters to the latest version of your stream:

• v1.16 – v1.16.0-alpha.4
• v1.15 – v1.15.3
• v1.14 – v1.14.6
• <v1.13 – v1.13.10

React: Instructions on how to upgrade your Kubernetes Cluster:

• Azure Kubernetes Service (AKS)
  • https://docs.microsoft.com/en-us/azure/aks/upgrade-cluster
• Google Compute Engine Clusters
  • https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster
• Google Kubernetes Engine Clusters
  • https://cloud.google.com/kubernetes-engine/docs/clusters/upgrade
• Oracle Cloud Infrastructure Container Engine for Kubernetes (OKE) Cluster
  • https://docs.cloud.oracle.com/iaas/Content/ContEng/Tasks/contengupgradingk8smasternode.htm
• Kops
  • https://github.com/kubernetes/kops
• Kubespray
  • https://github.com/kubernetes-incubator/kubespray
• CoreOS Tectonic
  • https://coreos.com/tectonic/docs/latest/admin/upgrade.html
• Digital Rebar
  • https://provision.readthedocs.io/en/tip/doc/content-packages/krib.html

Sources:
[1] https://nvd.nist.gov/vuln/detail/CVE-2019-9514
[2] https://nvd.nist.gov/vuln/detail/CVE-2019-9512
[3] https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.16
[4] https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.15.md#other-notable-changes
[5] https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.14.md#other-notable-changes
[6] https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.13.md#other-notable-changes
[7] https://kubernetes.io/docs/concepts/overview/what-is-kubernetes/
[8] https://www.bleepingcomputer.com/news/security/severe-flaws-in-kubernetes-expose-all-servers-to-dos-attacks/
[9] https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster