HTTP/2 DoS CVEs Affect Kubernetes too !

Two high severity vulnerabilities impacting all versions of the Kubernetes open-source system for handling containerised apps can allow an unauthorised attacker to trigger a denial-of-service (DoS) state.

Kubernetes development team has already released patched versions to address these newly found security flaws and block potential attackers from exploiting them.

Kubernetes was originally developed by Google using Go and it is designed to help automate the deployment, scaling, and management of containerised workloads and services over clusters of hosts.

It does this by organising app containers into pods, nodes (physical or virtual machines), and clusters, with multiple nodes forming a cluster that is managed by a master which coordinates cluster-related tasks such as scaling, scheduling, or updating apps.

Security flaws impact all Kubernetes versions

“A security issue has been found in the net/http library of the Go language that affects all versions and all components of Kubernetes,” disclosed Kubernetes Product Security Committee’s Micah Hausler on the announcement list for Kubernetes security issues.

“The vulnerabilities can result in a DoS against any process with an HTTP or HTTPS listener,” with all versions of Kubernetes being affected.

Netflix announced the discovery of multiple vulnerabilities exposing servers that come with support for HTTP/2 communication to DoS attacks on August 13.

Out of the eight CVEs issued by Netflix with their security advisory, two of them also impact Go and all Kubernetes components designed to serve HTTP/2 traffic (including /healthz).

The two weaknesses tracked as CVE-2019-9512 and CVE-2019-9514 have been assigned CVSS v3.0 base scores of 7.5 by the Kubernetes Product Security Committee, and they make it possible for “untrusted clients to allocate an unlimited amount of memory, until the server crashes.”

  1. CVE-2019-9512 Ping Flood: attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
  2. CVE-2019-9514 Reset Flood: attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both, potentially leading to a denial of service.

Upgrade your Kubernetes clusters

As mentioned in the beginning, Kubernetes has already released patches to address the vulnerabilities and all admins are advised to upgrade to a patched version as soon as possible.

The following Kubernetes releases built using new and patched versions of Go have been issued by the development team to help admins mitigate the vulnerabilities:

• Kubernetes v1.15.3 - go1.12.9
• Kubernetes v1.14.6 - go1.12.9
• Kubernetes v1.13.10 - go1.11.13

Hits: 120