Help Center/ Cloud Container Engine/ Product Bulletin/ Vulnerability Notices/ Notice on Fixing Kubernetes HTTP/2 Vulnerability
Updated on 2023-08-02 GMT+08:00

Notice on Fixing Kubernetes HTTP/2 Vulnerability

Description

The Kubernetes community has released Go-related vulnerabilities: CVE-2019-9512 and CVE-2019-9514. The security issue has been found in the net/http library of the Go language that affects all versions and all components of Kubernetes. These vulnerabilities may cause DoS attacks to all processes that process HTTP or HTTPS Listener.

Go has released versions Go 1.12.9 and Go 1.11.13.

Kubernetes has released v1.13.10 - go1.11.13 using patched versions of Go.

CCE has released the latest Kubernetes clusters of v1.13.10 to fix the vulnerability. For Kubernetes clusters of v1.13, a patch will be provided at the end of September 2019 to fix the bug. For Kubernetes clusters earlier than v1.13, upgrade them to v1.13.10.

Table 1 Vulnerability information

Type

CVE-ID

Severity

Discovered

DoS attack

CVE-2019-9512

High

2019-08-13

Resource management flaw

CVE-2019-9514

High

2019-08-13

Impact

Default clusters are protected by VPCs and security groups and therefore not vulnerable.

If cluster APIs are exposed to Internet users, the cluster control plane may be vulnerable.

Solution

  • The latest Kubernetes v1.13.10 has been released to fix the vulnerability.
  • If the Kubernetes cluster is earlier than v1.13, upgrade the cluster version.

Technical Details

Most of these attacks occur at the HTTP/2 layer between request streams and TLS transmission. In fact, many attacks involve zero or one request.

Since the early hypertext transfer protocol, middleware services are request-oriented: logs are separated by requests instead of connections; rate limiting occurs at the request level; throttling is triggered when the number of requests reaches a specified limit.

Few tools can perform logging, rate limiting, and rate modification based on the client behavior at the HTTP/2 layer. Without tools, middleware services may find it even more difficult to detect and block malicious HTTP/2 connections.

The vulnerabilities allow remote attackers to consume excess system resources. Some attacks are very efficient, allowing a single terminal system to cause severe impacts on multiple servers. These impacts include server shutdown, crash of core processes, and suspension. Attacks that are less efficient may cause lead to challenging issues. They only slow down servers and the slowdown may occur intermittently, making it more difficult to detect and prevent attacks.