NEW KUBERNETES SECURITY ALERT: Vulnerabilities Enable Denial of Service on kubelet and API Server

Two security vulnerabilities have been discovered in Kubernetes that can cause the denial of service attacks. Security researchers have found these issues in Kubernetes’s Kubelet and API server modules. Issues have been rated as medium level and that can be recovered.

If an attacker that can make an authorized resource request to an unpatched API server (see below), then you are vulnerable to this. Prior to v1.14, this was possible via unauthenticated requests by default. If an attacker can make a request to an unpatched kubelet, then you may be vulnerable to this.

Affected Versions are

CVE-2020–8551:

• kubelet v1.17.0 — v1.17.2
• kubelet v1.16.0 — v1.16.6
• kubelet v1.15.0 — v1.15.10\

CVE-2020–8552

• kube-apiserver v1.17.0 — v1.17.2
• kube-apiserver v1.16.0 — v1.16.6
• kube-apiserver < v1.15.10

These vulnerabilities can be mitigated by

• Preventing unauthenticated or unauthorized access to all apis
• The apiserver should auto restart if it OOMs
• Limit access to the Kubelet API or patch the Kubelet.

Both of these versions have been in fixed in below verions

• v1.17.3
• v1.16.7
• v1.15.10

You can refer to the documentation for upgrade instruction here: https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster

More details will be found here

CVE-2020–8551: https://github.com/kubernetes/kubernetes/issues/89377

CVE-2020–8552: https://github.com/kubernetes/kubernetes/issues/89378

To harden your Kubernetes cluster to stay away from security attacks, refer Calsoft’s recently released Kubernetes Security primer and Best Practices Guide.