Severe Flaws in Kubernetes Expose All Servers to DoS Attacks

Security Flaws

Two severe vulnerabilities affecting all Kubernetes open-source variants for containerized applications can cause a denied-of-service (DoS) state for an unauthorized attacker.

The development team of Kubernetes have already published patched versions to tackle these newly identified safety defects and prevent prospective attackers from using them.

Kubernetes was initially created using Google and is intended to automate containerized workloads and services deployment, scaling and governance across hosts clusters.

This is done through the organization of application containers into pods, nodes, and clusters, with various nodes that form a cluster managed by the Master which co-ordinates duties relating to clusters, such as scale-up, scheduling, or updating applications.

Security defects affect all versions of Kubernetes

“A security issue has been found in the net/http library of the Go language that affects all versions and all components of Kubernetes,” disclosed Kubernetes Product Security Committee’s Micah Hausler on the announcement list for Kubernetes security issues.

“The vulnerabilities can result in a DoS against any process with an HTTP or HTTPS listener,” with all versions of Kubernetes being affected.

Netflix announced on August 13 that it discovered numerous vulnerabilities, which expose servers that promote HTTP/2 communication in DoS attacks.

Of the eight Netflix CVEs, two of them have an impact on Go as well as all Kubernetes ‘ components that are intended to serve HTTP/2 traffic (including /healthz).

CVSS v3.0 baseline values of 7.5 were assigned by the Kubernetes Product security committee to the two weaknesses identified as CVE-2019-9512 and CVE-2019-9514, which enable “untrusted clients to allocate an unlimited amount of memory until the server crashes.”

  1. CVE-2019-9512 Ping Flood: attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
  2. CVE-2019-9514 Reset Flood: attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both, potentially leading to a denial of service.

As stated earlier, Kubernetes already has patches to tackle vulnerabilities and all administrators are recommended to upgrade to a patched version as quickly as possible.

The following Kubernetes releases have been published by the development team using fresh and patched Go versions to assist address vulnerabilities:

  • Kubernetes v1.15.3 – go1.12.9
  • Kubernetes v1.14.6 – go1.12.9
  • Kubernetes v1.13.10 – go1.11.13

Kubernetes managers can upgrade their clusters by means of upgrade guidelines available on the Kubernetes Cluster Management page for all systems.

Jennifer Thomas
Jennifer Thomas is the Co-founder and Chief Business Development Officer at Cybers Guards. Prior to that, She was responsible for leading its Cyber Security Practice and Cyber Security Operations Center, which provided managed security services.