Notice on Fixing Kubernetes HTTP/2 Vulnerability

Description

The Kubernetes community has released Go-related vulnerabilities: CVE-2019-9512 and CVE-2019-9514. The security issue has been found in the net/http library of the Go language that affects all versions and all components of Kubernetes. These vulnerabilities may cause DoS attacks to all processes that process HTTP or HTTPS Listener.

Go has released versions Go 1.12.9 and Go 1.11.13.

Kubernetes has released v1.13.10 - go1.11.13 using patched versions of Go.

CCE has released the latest Kubernetes clusters of v1.13.10 to fix the vulnerability. For Kubernetes clusters of v1.13, a patch will be provided at the end of September 2019 to fix the bug. For Kubernetes clusters earlier than v1.13, upgrade them to v1.13.10.

**Table 1** Vulnerability information
Type	CVE-ID	Severity	Discovered
DoS attack	CVE-2019-9512	High	2019-08-13
Resource management flaw	CVE-2019-9514	High	2019-08-13

Impact

Default clusters are protected by VPCs and security groups and therefore not vulnerable.

If cluster APIs are exposed to Internet users, the cluster control plane may be vulnerable.

Solution

The latest Kubernetes v1.13.10 has been released to fix the vulnerability.
If the Kubernetes cluster is earlier than v1.13, upgrade the cluster version.

References

Netflix:

https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md

Bug fixes for Go:

https://golang.org/doc/devel/release.html#go1.12

PRs in Kubernetes community:

https://github.com/kubernetes/kubernetes/pull/81520

https://github.com/kubernetes/kubernetes/pull/81522

Technical Details

Most of these attacks occur at the HTTP/2 layer between request streams and TLS transmission. In fact, many attacks involve zero or one request.

Since the early hypertext transfer protocol, middleware services are request-oriented: logs are separated by requests instead of connections; rate limiting occurs at the request level; throttling is triggered when the number of requests reaches a specified limit.

Few tools can perform logging, rate limiting, and rate modification based on the client behavior at the HTTP/2 layer. Without tools, middleware services may find it even more difficult to detect and block malicious HTTP/2 connections.

The vulnerabilities allow remote attackers to consume excess system resources. Some attacks are very efficient, allowing a single terminal system to cause severe impacts on multiple servers. These impacts include server shutdown, crash of core processes, and suspension. Attacks that are less efficient may cause lead to challenging issues. They only slow down servers and the slowdown may occur intermittently, making it more difficult to detect and prevent attacks.

Parent topic: Vulnerability Notices

Previous topic: Notice on the Kubernetes kubelet and kube-proxy Authorization Vulnerability (CVE-2020-8558)

Next topic: Notice on Fixing Linux Kernel SACK Vulnerabilities