ALT-PU-2020-2338-2

Package kubernetes updated to version 1.18.5-alt1 for branch p9 in task 254411.

The Kubernetes kube-controller-manager in versions v1.0-v1.17 is vulnerable to a credential leakage via error messages in mount failure logs and events for AzureFile and CephFS volumes.

Severity: MEDIUM (5.0)Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Severity: MEDIUM (6.5)Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.

Severity: MEDIUM (4.0)Vector: AV:N/AC:L/Au:S/C:N/I:N/A:P

Severity: MEDIUM (6.5)Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP read-only API typically served on port 10255, and the authenticated HTTPS API typically served on port 10250.

Severity: LOW (3.3)Vector: AV:A/AC:L/Au:N/C:N/I:N/A:P

Severity: MEDIUM (6.5)Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

The Kubernetes API server component in versions prior to 1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via successful API requests.

Severity: MEDIUM (4.0)Vector: AV:N/AC:L/Au:S/C:N/I:N/A:P

Severity: MEDIUM (4.3)Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

References:

The Kubernetes kube-controller-manager in versions v1.0-1.14, versions prior to v1.15.12, v1.16.9, v1.17.5, and version v1.18.0 are vulnerable to a Server Side Request Forgery (SSRF) that allows certain authorized users to leak up to 500 bytes of arbitrary information from unprotected endpoints within the master's host network (such as link-local or loopback services).

Severity: LOW (3.5)Vector: AV:N/AC:M/Au:S/C:P/I:N/A:N

Severity: MEDIUM (6.3)Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

References:

The Kubelet and kube-proxy components in versions 1.1.0-1.16.10, 1.17.0-1.17.6, and 1.18.0-1.18.3 were found to contain a security issue which allows adjacent hosts to reach TCP and UDP services bound to 127.0.0.1 running on the node or in the node's network namespace. Such a service is generally thought to be reachable only by other processes on the same host, but due to this defeect, could be reachable by other hosts on the same LAN as the node, or by containers running on the same node as the service.

Severity: MEDIUM (5.8)Vector: AV:A/AC:L/Au:N/C:P/I:P/A:P

Severity: HIGH (8.8)Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Kubernetes API Server DoS Via API Requests

Severity: MEDIUM (5.3)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References:

Allocation of Resources Without Limits or Throttling and Uncontrolled Memory Allocation in Kubernetes

Severity: MEDIUM (4.3)Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References:

Improper Authentication in Kubernetes

Severity: HIGH (8.8)Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Excessive Platform Resource Consumption within a Loop in Kubernetes

Severity: MEDIUM (6.5)Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Server Side Request Forgery (SSRF) in Kubernetes

Severity: MEDIUM (6.3)Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

References:

Version: 2.1.2

Package kubernetes update in p9 on 2020-07-09

ALT-PU-2020-2338-2

Closed vulnerabilities

CVE-2019-11252

CVE-2019-11254

CVE-2020-8551

CVE-2020-8552

CVE-2020-8555

CVE-2020-8558

GHSA-82hx-w2r5-c2wq

GHSA-qhm4-jxv7-j9pq

GHSA-wqv3-8cm6-h6wg

GHSA-wxc4-f4m6-wwqv

GHSA-x6mj-w4jf-jmgw