Two security vulnerabilities have been discovered in Kubernetes that can cause the denial of service attacks. Security researchers have found these issues in Kubernetes’s Kubelet and API server modules. Issues have been rated as medium level and that can be recovered.
If an attacker that can make an authorized resource request to an unpatched API server (see below), then you are vulnerable to this. Prior to v1.14, this was possible via unauthenticated requests by default. If an attacker can make a request to an unpatched Kubelet, then you may be vulnerable to this.
Affected versions are
- kubelet v1.17.0 – v1.17.2
- kubelet v1.16.0 – v1.16.6
- kubelet v1.15.0 – v1.15.10
- kube-apiserver v1.17.0 – v1.17.2
- kube-apiserver v1.16.0 – v1.16.6
- kube-apiserver < v1.15.10
These vulnerabilities can be mitigated by
- Preventing unauthenticated or unauthorized access to all apis
- The apiserver should auto restart if it OOMs
- Limit access to the Kubelet API or patch the Kubelet.
Both of these versions have been in fixed in below versions
You can refer to the documentation for upgrade instruction here: https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster
More details will be found here