CVE-2019-11253

Name of the Vulnerable Software and Affected Versions Kubernetes API server versions v1.0 through v1.12 Kubernetes API server versions prior to v1.13.12 Kubernetes API server versions prior to v1.14.8 Kubernetes API server versions prior to v1.15.5 Kubernetes API server versions prior to v1.16.2

Description The issue is caused by improper input validation in the Kubernetes API server, allowing authorized users to send malicious YAML or JSON payloads. This can cause the API server to consume excessive CPU or memory, potentially crashing and becoming unavailable. In versions prior to v1.14.0, the default RBAC policy authorized anonymous users to submit requests that could trigger this vulnerability. Clusters upgraded from a version prior to v1.14.0 keep the more permissive policy by default for backwards compatibility. The vulnerability can be exploited through the API endpoint, allowing attackers to send malicious payloads, such as a "Billion Laughs" attack, which is a type of XML parsing issue that can cause excessive CPU usage.

Recommendations For versions v1.0 through v1.12, update to a version prior to v1.13.12, v1.14.8, v1.15.5, or v1.16.2 to resolve the issue. For versions prior to v1.13.12, update to version v1.13.12 or later to resolve the issue. For versions prior to v1.14.8, update to version v1.14.8 or later to resolve the issue. For versions prior to v1.15.5, update to version v1.15.5 or later to resolve the issue. For versions prior to v1.16.2, update to version v1.16.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the API server to minimize the risk of exploitation. Avoid using the k8s.io/apimachinery/pkg/runtime/serializer/json and k8s.io/apimachinery/pkg/util/json packages until the issue is resolved.