Notice on Fixing Kubernetes HTTP/2 Vulnerability
Description
The Kubernetes community has released Go-related vulnerabilities: CVE-2019-9512 and CVE-2019-9514. The security issue has been found in the net/http library of the Go language that affects all versions and all components of Kubernetes. These vulnerabilities may cause DoS attacks to all processes that process HTTP or HTTPS Listener.
Go has released versions Go 1.12.9 and Go 1.11.13.
Kubernetes has released v1.13.10 - go1.11.13 using patched versions of Go.
CCE has released the latest Kubernetes clusters of v1.13.10 to fix the vulnerability. For Kubernetes clusters of v1.13, a patch will be provided at the end of September 2019 to fix the bug. For Kubernetes clusters earlier than v1.13, upgrade them to v1.13.10.
Type |
CVE-ID |
Severity |
Discovered |
---|---|---|---|
DoS attack |
High |
2019-08-13 |
|
Resource management flaw |
High |
2019-08-13 |
Impact
Default clusters are protected by VPCs and security groups and therefore not vulnerable.
If cluster APIs are exposed to Internet users, the cluster control plane may be vulnerable.
Solution
- The latest Kubernetes v1.13.10 has been released to fix the vulnerability.
- If the Kubernetes cluster is earlier than v1.13, upgrade the cluster version.
References
Netflix:
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
Bug fixes for Go:
https://golang.org/doc/devel/release.html#go1.12
PRs in Kubernetes community:
Technical Details
Most of these attacks occur at the HTTP/2 layer between request streams and TLS transmission. In fact, many attacks involve zero or one request.
Since the early hypertext transfer protocol, middleware services are request-oriented: logs are separated by requests instead of connections; rate limiting occurs at the request level; throttling is triggered when the number of requests reaches a specified limit.
Few tools can perform logging, rate limiting, and rate modification based on the client behavior at the HTTP/2 layer. Without tools, middleware services may find it even more difficult to detect and block malicious HTTP/2 connections.
The vulnerabilities allow remote attackers to consume excess system resources. Some attacks are very efficient, allowing a single terminal system to cause severe impacts on multiple servers. These impacts include server shutdown, crash of core processes, and suspension. Attacks that are less efficient may cause lead to challenging issues. They only slow down servers and the slowdown may occur intermittently, making it more difficult to detect and prevent attacks.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.