{ "threat_severity" : "Moderate", "public_date" : "2019-02-28T00:00:00Z", "bugzilla" : { "description" : "kube-apiserver: DoS with crafted patch of type json-patch", "id" : "1683190", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1683190" }, "cvss3" : { "cvss3_base_score" : "6.5", "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-770", "details" : [ "In all Kubernetes versions prior to v1.11.8, v1.12.6, and v1.13.4, users that are authorized to make patch requests to the Kubernetes API Server can send a specially crafted patch of type \"json-patch\" (e.g. `kubectl patch --type json` or `\"Content-Type: application/json-patch+json\"`) that consumes excessive resources while processing, causing a Denial of Service on the API Server.", "A denial of service vulnerability was found in the Kubernetes API server. A remote user, with authorization to apply patches, could exploit this via crafted JSON input, causing excessive consumption of resources and subsequent denial of service." ], "statement" : "This issue affects the Kubernetes API Server, shipped in OpenShift Container Platform versions 3.4 through 3.11 as part of the atomic-openshift package. Red Hat Product Security has rated this issue as having a security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", "acknowledgement" : "Red Hat would like to thank Carl Henrik Lunde for reporting this issue.", "affected_release" : [ { "product_name" : "Red Hat OpenShift Container Platform 3.10", "release_date" : "2019-10-29T00:00:00Z", "advisory" : "RHSA-2019:3239", "cpe" : "cpe:/a:redhat:openshift:3.10::el7", "package" : "atomic-openshift-0:3.10.181-1.git.0.3ab4b3d.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "release_date" : "2019-07-24T00:00:00Z", "advisory" : "RHSA-2019:1851", "cpe" : "cpe:/a:redhat:openshift:3.11::el7", "package" : "atomic-openshift-0:3.11.129-1.git.0.bd4f2d5.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "release_date" : "2019-07-24T00:00:00Z", "advisory" : "RHSA-2019:1851", "cpe" : "cpe:/a:redhat:openshift:3.11::el7", "package" : "jenkins-2-plugins-0:3.11.1560870549-1.el7" } ], "package_state" : [ { "product_name" : "Red Hat OpenShift Container Platform 3.4", "fix_state" : "Will not fix", "package_name" : "atomic-openshift", "cpe" : "cpe:/a:redhat:openshift:3.4" }, { "product_name" : "Red Hat OpenShift Container Platform 3.5", "fix_state" : "Will not fix", "package_name" : "atomic-openshift", "cpe" : "cpe:/a:redhat:openshift:3.5" }, { "product_name" : "Red Hat OpenShift Container Platform 3.6", "fix_state" : "Out of support scope", "package_name" : "atomic-openshift", "cpe" : "cpe:/a:redhat:openshift:3.6" }, { "product_name" : "Red Hat OpenShift Container Platform 3.7", "fix_state" : "Out of support scope", "package_name" : "atomic-openshift", "cpe" : "cpe:/a:redhat:openshift:3.7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.9", "fix_state" : "Fix deferred", "package_name" : "atomic-openshift", "cpe" : "cpe:/a:redhat:openshift:3.9" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat Storage 3", "fix_state" : "Will not fix", "package_name" : "heketi", "cpe" : "cpe:/a:redhat:storage:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-1002100\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-1002100\nhttps://groups.google.com/forum/#!topic/kubernetes-announce/vmUUNkYfG9g" ], "name" : "CVE-2019-1002100", "mitigation" : { "value" : "Remove ‘patch’ permissions from untrusted users.", "lang" : "en:us" }, "csaw" : false }