{"id":101625,"date":"2019-08-22T15:57:24","date_gmt":"2019-08-22T22:57:24","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=101625"},"modified":"2021-01-15T14:52:33","modified_gmt":"2021-01-15T22:52:33","slug":"cloud-kubernetes-vulnerable-denial-service-attacks","status":"publish","type":"post","link":"https:\/\/www2.paloaltonetworks.com\/blog\/2019\/08\/cloud-kubernetes-vulnerable-denial-service-attacks\/","title":{"rendered":"Kubernetes \u2013 Vulnerable to Denial-of-Service Attacks"},"content":{"rendered":"

On Wednesday, the Kubernetes Product Security Committee disclosed two new vulnerabilities affecting all versions. The issues are related to eight attack methods on HTTP\/2 implementations found and released two weeks ago by security researchers from Google and Netflix.<\/span><\/p>\n

Background<\/b><\/h3>\n

HTTP\/2 is a protocol designed to replace long-lived HTTP\/1.1 with features that better suit the modern needs of HTTP use cases and improve performance. The HTTP\/2 specification was released in 2015 and has since been widely adopted by web server applications.<\/span><\/p>\n

In a <\/span>security advisory<\/span><\/a>, Netflix revealed that engineer Jonathan Looney had determined that many HTTP\/2 implementations are vulnerable to multiple denial-of-service vulnerabilities. The advisory also lists one vulnerability type that was discovered by Piotr Sikora from Google\u2019s Envoy security team.<\/span><\/p>\n

The advisory describes eight attacks (CVE-2019-9510, CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9515, CVE-2019-9516, CVE-2019-9517 and CVE-2019-9518) that can exhaust the servers of either CPU or memory, or both, potentially resulting in their denial of service. While each attack is not specific to an implementation, each implementation may be vulnerable to one or more of these attacks. A table describing how these vulnerabilities affect more than 230 vendors is provided on the <\/span>CERT\/CC information page<\/span><\/a>.<\/span><\/p>\n

The Go language was <\/span>found<\/span><\/a> to be vulnerable to two of these attacks, CVE-2019-9512 and CVE-2019-9514, in its two official HTTP implementation packages, <\/span>net\/http<\/span> and <\/span>golang.org\/x\/net\/http2<\/span>. Two official Golang revisions were <\/span>released<\/span><\/a>, go1.12.8 and go1.11.13, which are not vulnerable to the attacks.<\/span><\/p>\n

Kubernetes status<\/b><\/h3>\n

Kubernetes was identified as being vulnerable to these attacks as it is written in the Go language and relies on its HTTP implementation. The Kubernetes team released three versions built with the immune Golang compilers. The fixed versions are Kubernetes v1.15.3, v1.14.6 and v1.13.10.<\/span><\/p>\n

The Kubernetes announcement mentioned any Kubernetes component that allows for HTTP\/2 connections may be vulnerable to the attacks in all previously released versions.\u00a0<\/span><\/p>\n

Twistlock status<\/b><\/h3>\n

While Twistlock is written primarily in Go, it is not vulnerable to this class of attacks because of other mitigations already in place within our software.<\/span><\/p>\n

As ecosystem vendors assess the impact to their own Kubernetes distributions, Twistlock\u2019s Intelligence Stream will automatically update to include these findings. These vulnerabilities will then be detected within customer environments automatically, with no user interaction required.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

What you need to know about the two new vulnerabilities disclosed by the Kubernetes Product Security Committee <\/p>\n","protected":false},"author":156,"featured_media":96978,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[6768],"tags":[6731,515],"coauthors":[6875,6821],"class_list":["post-101625","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-secure-the-cloud","tag-kubernetes","tag-vulnerabilities"],"jetpack_featured_media_url":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/02\/corp-blog-cloud-600x300.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/101625","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/156"}],"replies":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=101625"}],"version-history":[{"count":4,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/101625\/revisions"}],"predecessor-version":[{"id":101646,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/101625\/revisions\/101646"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/96978"}],"wp:attachment":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=101625"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=101625"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=101625"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=101625"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}