Kubernetes Vulnerabilities Allow Authentication Bypass, DoS (CVE-2019-16276)

October 18, 2019

Josh Kwan

Summary

Two dangerous vulnerabilities have recently been discovered in Kubernetes, the open-source container-orchestration system:

CVE-2019-16276

CVE-2019-11253

Impact

Attackers may be able to bypass authentication using HTTP request smuggling due a flaw in to the Go language's net/http library. If you are using an Authenticating Proxy in front of your Kubernetes API server, it may be possible to bypass authentication.[1] [2] [3]

A second flaw in the Kubernetes API server's parsing of YAML/JSON could allow attackers to perform a Denial of Service (DoS) attack. [1] [4] [5]

Vulnerable

Kubernetes v1.0.0-1.12.x
Kubernetes v1.13.0-1.13.11 (resolved in v1.13.12)
Kubernetes v1.14.0-1.14.7 (resolved in v1.14.8)
Kubernetes v1.15.0-1.15.4 (resolved in v1.15.5)
Kubernetes v1.16.0-1.16.1 (resolved in v1.16.2)

Recommendations

Upgrade to a patched version of Kubernetes immediately.

References

[1] https://threatpost.com/kubernetes-bugs-authentication-bypass-dos/149265/
[2] https://groups.google.com/forum/#!topic/kubernetes-security-announce/PtsUCqFi4h4

[3] https://nvd.nist.gov/vuln/detail/CVE-2019-16276

[4] https://groups.google.com/forum/#!topic/kubernetes-security-announce/jk8polzSUxs

[5] https://nvd.nist.gov/vuln/detail/CVE-2019-11253