CVE-2020-8551

Name of the Vulnerable Software and Affected Versions Kubernetes versions 1.15.0 through 1.15.9 Kubernetes versions 1.16.0 through 1.16.6 Kubernetes versions 1.17.0 through 1.17.2

Description The Kubelet component has been found to be vulnerable to a denial of service attack via the kubelet API. This includes the unauthenticated HTTP read-only API typically served on port 10255, and the authenticated HTTPS API typically served on port 10250. The issue is related to allocation of resources without limits or throttling and uncontrolled memory allocation.

Recommendations For versions 1.15.0 through 1.15.9, consider disabling access to the unauthenticated HTTP read-only API on port 10255 and the authenticated HTTPS API on port 10250 until a patch is available. For versions 1.16.0 through 1.16.6, restrict access to the kubelet API to minimize the risk of exploitation. For versions 1.17.0 through 1.17.2, avoid using the kubelet API for critical operations until the issue is resolved. As a temporary workaround, consider implementing resource limits and throttling to prevent uncontrolled memory allocation.