PT-2023-23655 · Suse · Suse Rke2
Highcwayne18
·
Published
2023-09-11
·
Updated
2023-09-22
·
CVE-2023-32186
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
SUSE RKE2 versions 1.24.0 through 1.24.17+rke2r1
SUSE RKE2 versions 1.25.0 through 1.25.13+rke2r1
SUSE RKE2 versions 1.26.0 through 1.26.8+rke2r1
SUSE RKE2 versions 1.27.0 through 1.27.5+rke2r1
SUSE RKE2 versions 1.28.0 through 1.28.1+rke2r1
Description
A vulnerability in SUSE RKE2 allows attackers with access to K3s servers' apiserver/supervisor port (TCP 6443) to cause a denial of service. The issue affects RKE2 servers, where an attacker can force the TLS server to add entries to the certificate's Subject Alternative Name (SAN) list until the certificate grows too large, exceeding the maximum size allowed by TLS client implementations. This leads to a denial of service (DoS) attack, as clients fail to establish new connections when joining or rejoining the cluster.
Recommendations
Upgrade to a fixed release:
- v1.28.1+rke2r1
- v1.27.5+rke2r1
- v1.26.8+rke2r1
- v1.25.13+rke2r1
- 1.24.17+rke2r1
If using RKE2 1.27 or earlier, add the parameter
tls-san-security: trueto the RKE2 configuration to enable enhanced security for the supervisor's TLS SAN list. If unable to upgrade, the certificate can be "frozen" by running the commandkubectl annotate secret -n kube-system rke2-serving listener.cattle.io/static=trueagainst the cluster. However, note that this mitigation will prevent the certificate from adding new SAN entries and automatically renewing itself when it is about to expire.
Fix
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Suse Rke2