CVE Vulnerabilities

CVE-2019-1002100

This vulnerability is marked as RESERVED by NVD. This means that the CVE-ID is reserved for future use by the CVE Numbering Authority (CNA) or a security researcher, but the details of it are not yet publicly available yet.

This page will reflect the classification results once they are available through NVD.

Any vendor information available is shown as below.

Redhat

CVE-2019-1002100 kube-apiserver: DoS with crafted patch of type json-patch

Mitigation

Remove ‘patch’ permissions from untrusted users.

Affected Software List

NameVendorVersion
Red Hat OpenShift Container Platform 3.10RedHatatomic-openshift-0:3.10.181-1.git.0.3ab4b3d.el7
Red Hat OpenShift Container Platform 3.11RedHatatomic-openshift-0:3.11.129-1.git.0.bd4f2d5.el7

Ubuntu

In all Kubernetes versions prior to v1.11.8, v1.12.6, and v1.13.4, users that are authorized to make patch requests to the Kubernetes API Server can send a specially crafted patch of type “json-patch” (e.g. kubectl patch --type json or "Content-Type: application/json-patch+json") that consumes excessive resources while processing, causing a Denial of Service on the API Server.

Affected Software List

NameVendorVersion
KubernetesUbuntu/develTBD
KubernetesUbuntu/discoreached end-of-life
KubernetesUbuntu/eoanreached end-of-life
KubernetesUbuntu/groovyTBD
KubernetesUbuntu/hirsuteTBD
KubernetesUbuntu/cosmicreached end-of-life
KubernetesUbuntu/focalTBD
KubernetesUbuntu/upstreamTBD