CVE-2020-8551: Kubelet vulnerable to Denial of service(DoS) via API #2327

Ebaneck · 2020-03-24T07:55:52Z

Component:

'kubelet', 'kubernetes'

What happened:

Kubelet has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP read-only API typically served on port 10255, and the authenticated HTTPS API typically served on port 10250.

CVSS Rating: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (Medium)

Affected Versions
kubelet v1.17.0 - v1.17.2
kubelet v1.16.0 - v1.16.6
kubelet v1.15.0 - v1.15.9

Fixed Versions
v1.17.3
v1.16.7
v1.15.10

Resolution proposal (optional):

Bump the Kubelet version for release and to be released branches.

For branch 2.5 we use Kubelet 1.16.2(vulnerable)
For branch 2.4 we use Kubelet 1.15.5(vulnerable)

Closes: #2328 Closes: #2327

Ebaneck added topic:security Security-related issues complexity:easy Something that requires less than a day to fix labels Mar 24, 2020

thomasdanan added priority:high High priority issues, should be worked on ASAP (after urgent issues), not postponed severity:medium Medium impact (usability) on live deployments labels Mar 27, 2020

Ebaneck self-assigned this Apr 3, 2020

bert-e closed this as completed in 5913c85 Apr 3, 2020

wabernat pushed a commit that referenced this issue Apr 14, 2020

kubernetes: Bump kubernetes version

72ed15e

Closes: #2328 Closes: #2327

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2020-8551: Kubelet vulnerable to Denial of service(DoS) via API #2327

CVE-2020-8551: Kubelet vulnerable to Denial of service(DoS) via API #2327

Ebaneck commented Mar 24, 2020

CVE-2020-8551: Kubelet vulnerable to Denial of service(DoS) via API #2327

CVE-2020-8551: Kubelet vulnerable to Denial of service(DoS) via API #2327

Comments

Ebaneck commented Mar 24, 2020