{
  "threat_severity" : "Moderate",
  "public_date" : "2020-03-23T00:00:00Z",
  "bugzilla" : {
    "description" : "kubernetes: crafted requests to kubelet API allow for memory exhaustion",
    "id" : "1816403",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1816403"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-400",
  "details" : [ "The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP read-only API typically served on port 10255, and the authenticated HTTPS API typically served on port 10250.", "A denial of service flaw was found in Kubernetes' Kubelet API. A remote attacker can exploit this flaw by sending repeated, crafted HTTP requests to exhaust available memory and cause a crash." ],
  "statement" : "By default, OpenShift Container Platform does not allow unauthenticated access to the Kubelet API. OpenShift Container Platform versions before 4.2 are not affected by this vulnerability as they are based on earlier versions of Kubernetes which do not include metrics for the Kubelet HTTP server.",
  "affected_release" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 4.3",
    "release_date" : "2020-04-07T00:00:00Z",
    "advisory" : "RHSA-2020:1276",
    "cpe" : "cpe:/a:redhat:openshift:4.3::el7",
    "package" : "openshift-0:4.3.10-202003300855.git.0.da48c1d.el8"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.3",
    "release_date" : "2020-04-08T00:00:00Z",
    "advisory" : "RHSA-2020:1277",
    "cpe" : "cpe:/a:redhat:openshift:4.3::el7",
    "package" : "openshift4/ose-hyperkube:v4.3.10-202003311925"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 3.11",
    "fix_state" : "Not affected",
    "package_name" : "atomic-openshift",
    "cpe" : "cpe:/a:redhat:openshift:3.11"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "openshift4/ose-hypershift",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "openshift4/ose-openshift-apiserver-rhel8",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat Storage 3",
    "fix_state" : "Not affected",
    "package_name" : "heketi",
    "cpe" : "cpe:/a:redhat:storage:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-8551\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-8551\nhttps://github.com/kubernetes/kubernetes/issues/89377\nhttps://groups.google.com/forum/#!topic/kubernetes-security-announce/2UOlsba2g0s" ],
  "name" : "CVE-2020-8551",
  "mitigation" : {
    "value" : "Prevent unauthenticated or unauthorized access to the Kubelet API",
    "lang" : "en:us"
  },
  "csaw" : false
}