PT-2023-23655 · Suse · Suse Rke2
Highcwayne18
·
Publicado
2023-09-11
·
Atualizado
2023-09-22
·
CVE-2023-32186
CVSS v3.1
7.5
Alta
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
SUSE RKE2 versions 1.24.0 through 1.24.17+rke2r1
SUSE RKE2 versions 1.25.0 through 1.25.13+rke2r1
SUSE RKE2 versions 1.26.0 through 1.26.8+rke2r1
SUSE RKE2 versions 1.27.0 through 1.27.5+rke2r1
SUSE RKE2 versions 1.28.0 through 1.28.1+rke2r1
Description
A vulnerability in SUSE RKE2 allows attackers with access to K3s servers' apiserver/supervisor port (TCP 6443) to cause a denial of service. The issue affects RKE2 servers, where an attacker can force the TLS server to add entries to the certificate's Subject Alternative Name (SAN) list until the certificate grows too large, exceeding the maximum size allowed by TLS client implementations. This leads to a denial of service (DoS) attack, as clients fail to establish new connections when joining or rejoining the cluster.
Recommendations
Upgrade to a fixed release:
- v1.28.1+rke2r1
- v1.27.5+rke2r1
- v1.26.8+rke2r1
- v1.25.13+rke2r1
- 1.24.17+rke2r1
If using RKE2 1.27 or earlier, add the parameter
tls-san-security: trueto the RKE2 configuration to enable enhanced security for the supervisor's TLS SAN list. If unable to upgrade, the certificate can be "frozen" by running the commandkubectl annotate secret -n kube-system rke2-serving listener.cattle.io/static=trueagainst the cluster. However, note that this mitigation will prevent the certificate from adding new SAN entries and automatically renewing itself when it is about to expire.
Correção
Allocation of Resources Without Limits
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Suse Rke2