Kubernetes 1.x < 1.11.8 / 1.12.x < 1.12.6 / 1.13.x < 1.13.4 API server DOS

medium Nessus Plugin ID 123831

Synopsis

The remote host contains an application affected by a denial of service vulnerability.

Description

The version of Kubernetes installed on the remote host is version 1.x prior to 1.11.8, 1.12.x prior to 1.12.6 or 1.13.x prior to 1.13.4. It is, therefore, affected by a denial of service vulnerability in the API server. An authenticated, remote attacker can exploit this via a specially crafted patch request of type json-patch to cause the API Server to stop responding.

Solution

Upgrade to Kubernetes 1.11.8, 1.12.6, 1.13.4 or later, refer to the vendor advisory for relevant patch and configuration settings.

See Also

http://www.nessus.org/u?0c4d72c7

http://www.nessus.org/u?6d86c825

http://www.nessus.org/u?b820e40a

Plugin Details

Severity: Medium

ID: 123831

File Name: kubernetes_1_13_4_api_server_dos.nasl

Version: 1.5

Type: local

Agent: unix

Family: CGI abuses

Published: 4/9/2019

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 4

Temporal Score: 3

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P

CVSS Score Source: CVE-2019-1002100

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:google:kubernetes, cpe:/a:kubernetes:kubernetes

Required KB Items: installed_sw/Kubernetes

Exploit Ease: No known exploits are available

Patch Publication Date: 3/1/2019

Vulnerability Publication Date: 3/1/2019

Reference Information

CVE: CVE-2019-1002100

BID: 107290