CVE-2023-32187

Name of the Vulnerable Software and Affected Versions k3s versions 1.24.0 through 1.24.17 k3s versions 1.25.0 through 1.25.13 k3s versions 1.26.0 through 1.26.8 k3s versions 1.27.0 through 1.27.5 k3s versions 1.28.0 through 1.28.1

Description An Allocation of Resources Without Limits or Throttling issue in SUSE k3s allows attackers with access to K3s servers' apiserver/supervisor port (TCP 6443) to cause denial of service. The issue affects k3s servers, where an attacker can force the TLS server to add entries to the certificate's Subject Alternative Name (SAN) list until the certificate grows so large that it exceeds the maximum size allowed by TLS client implementations, leading to a denial of service (DoS) attack.

Recommendations For versions 1.24.0 through 1.24.17, upgrade to version 1.24.17+k3s1. For versions 1.25.0 through 1.25.13, upgrade to version 1.25.13+k3s1. For versions 1.26.0 through 1.26.8, upgrade to version 1.26.8+k3s1. For versions 1.27.0 through 1.27.5, upgrade to version 1.27.5+k3s1 and add the parameter tls-san-security: true to the K3s configuration. For versions 1.28.0 through 1.28.1, upgrade to version 1.28.1+k3s1. If you cannot upgrade to a fixed release, consider running the command kubectl annotate secret -n kube-system k3s-serving listener.cattle.io/static=true to "freeze" the certificate, but be aware that this will prevent the certificate from adding new SAN entries and automatically renewing itself.