Highcwayne18

**Name of the Vulnerable Software and Affected Versions** SUSE RKE2 versions 1.24.0 through 1.24.17+rke2r1 SUSE RKE2 versions 1.25.0 through 1.25.13+rke2r1 SUSE RKE2 versions 1.26.0 through 1.26.8+rke2r1 SUSE RKE2 versions 1.27.0 through 1.27.5+rke2r1 SUSE RKE2 versions 1.28.0 through 1.28.1+rke2r1 **Description** A vulnerability in SUSE RKE2 allows attackers with access to K3s servers' apiserver/supervisor port (TCP 6443) to cause a denial of service. The issue affects RKE2 servers, where an attacker can force the TLS server to add entries to the certificate's Subject Alternative Name (SAN) list until the certificate grows too large, exceeding the maximum size allowed by TLS client implementations. This leads to a denial of service (DoS) attack, as clients fail to establish new connections when joining or rejoining the cluster. **Recommendations** Upgrade to a fixed release: - v1.28.1+rke2r1 - v1.27.5+rke2r1 - v1.26.8+rke2r1 - v1.25.13+rke2r1 - 1.24.17+rke2r1 If using RKE2 1.27 or earlier, add the parameter `tls-san-security: true` to the RKE2 configuration to enable enhanced security for the supervisor's TLS SAN list. If unable to upgrade, the certificate can be "frozen" by running the command `kubectl annotate secret -n kube-system rke2-serving listener.cattle.io/static=true` against the cluster. However, note that this mitigation will prevent the certificate from adding new SAN entries and automatically renewing itself when it is about to expire.

**Name of the Vulnerable Software and Affected Versions** k3s versions 1.24.0 through 1.24.17 k3s versions 1.25.0 through 1.25.13 k3s versions 1.26.0 through 1.26.8 k3s versions 1.27.0 through 1.27.5 k3s versions 1.28.0 through 1.28.1 **Description** An Allocation of Resources Without Limits or Throttling issue in SUSE k3s allows attackers with access to K3s servers' apiserver/supervisor port (TCP 6443) to cause denial of service. The issue affects k3s servers, where an attacker can force the TLS server to add entries to the certificate's Subject Alternative Name (SAN) list until the certificate grows so large that it exceeds the maximum size allowed by TLS client implementations, leading to a denial of service (DoS) attack. **Recommendations** For versions 1.24.0 through 1.24.17, upgrade to version 1.24.17+k3s1. For versions 1.25.0 through 1.25.13, upgrade to version 1.25.13+k3s1. For versions 1.26.0 through 1.26.8, upgrade to version 1.26.8+k3s1. For versions 1.27.0 through 1.27.5, upgrade to version 1.27.5+k3s1 and add the parameter `tls-san-security: true` to the K3s configuration. For versions 1.28.0 through 1.28.1, upgrade to version 1.28.1+k3s1. If you cannot upgrade to a fixed release, consider running the command `kubectl annotate secret -n kube-system k3s-serving listener.cattle.io/static=true` to "freeze" the certificate, but be aware that this will prevent the certificate from adding new SAN entries and automatically renewing itself.