====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN168
_____________________________________________________________________

DATE                : 26/03/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Kubernetes versions prior to
                                  1.17.3, 1.16.7, 1.15.10.

=====================================================================
https://groups.google.com/forum/#!topic/kubernetes-announce/jPiyJ1KL_FI
_____________________________________________________________________


Hello Kubernetes Community,

Two security issues were discovered in Kubernetes that could lead to a
recoverable denial of service.

*CVE-2020-8551* affects the kubelet, and has been rated *Medium *(
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L>
).

*CVE-2020-8552* affects the API server, and has also been rated *Medium* (
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L>
).
<https://github.com/kubernetes/security/blob/master/comms-temlpates/vulnerability-announcement-email.md#am-i-vulnerable>Am
I vulnerable?
If an attacker can make an authorized resource request to an unpatched
API server (see below), then you may be vulnerable to CVE-2020-8552. If
an attacker can make an authorized request to an unpatched kubelet, then
you may be vulnerable to CVE-2020-8551.
<https://github.com/kubernetes/security/blob/master/comms-temlpates/vulnerability-announcement-email.md#affected-versions>


Affected Versions


CVE-2020-8551 affects:

   - kubelet v1.17.0 - v1.17.2
   - kubelet v1.16.0 - v1.16.6
   - kubelet v1.15.0 - v1.15.10\
   - *kubelets prior to v1.15.0 are unaffected*

CVE-2020-8552 affects:

   - kube-apiserver v1.17.0 - v1.17.2
   - kube-apiserver v1.16.0 - v1.16.6
   - kube-apiserver < v1.15.10

<https://github.com/kubernetes/security/blob/master/comms-temlpates/vulnerability-announcement-email.md#how-do-i-mitigate-this-vulnerability>How
do I mitigate this vulnerability?

Prior to upgrading, these vulnerabilities can be mitigated by:

   - Preventing unauthenticated or unauthorized access to the affected
   components
   - The apiserver and kubelet should auto restart in the event of an
   OOM error

<https://github.com/kubernetes/security/blob/master/comms-temlpates/vulnerability-announcement-email.md#fixed-versions>


Fixed Versions


Both vulnerabilities are patched in kubernetes versions

   - v1.17.3
   - v1.16.7
   - v1.15.10

To upgrade, refer to the documentation:
https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster
<https://github.com/kubernetes/security/blob/master/comms-temlpates/vulnerability-announcement-email.md#addiitonal-details>Additional


Details

See the GitHub issues for more details:

CVE-2020-8551: https://github.com/kubernetes/kubernetes/issues/89377
CVE-2020-8552: https://github.com/kubernetes/kubernetes/issues/89378


Thank You,

Tim Allclair on behalf of the Kubernetes Product Security Committee


=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================