CVE-2019-11253
📋 TL;DR
This CVE-2019-11253 vulnerability in Kubernetes allows authorized users to send malicious YAML or JSON payloads to the API server, causing excessive CPU or memory consumption that can crash the server and make it unavailable. It affects Kubernetes versions v1.0-1.12 and versions prior to v1.13.12, v1.14.8, v1.15.5, and v1.16.2. Prior to v1.14.0, default RBAC policy authorized anonymous users to exploit this vulnerability.
💻 Affected Systems
- Kubernetes
📦 What is this software?
Kubernetes by Kubernetes
Kubernetes by Kubernetes
Kubernetes by Kubernetes
Kubernetes by Kubernetes
Kubernetes by Kubernetes
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service affecting the entire Kubernetes cluster, making all managed applications and services unavailable.
Likely Case
API server crashes or becomes unresponsive, disrupting cluster management operations and potentially affecting application availability.
If Mitigated
Minimal impact with proper RBAC restrictions and network controls limiting access to authorized users only.
🎯 Exploit Status
Exploitation requires sending specially crafted YAML or JSON payloads to the Kubernetes API server endpoints. Prior to v1.14.0, anonymous users could exploit this by default.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v1.13.12, v1.14.8, v1.15.5, v1.16.2 and later
Vendor Advisory: https://groups.google.com/forum/#!topic/kubernetes-security-announce/jk8polzSUxs
Restart Required: Yes
Instructions:
1. Upgrade Kubernetes to patched versions: v1.13.12+, v1.14.8+, v1.15.5+, or v1.16.2+. 2. Restart API server components. 3. Verify the upgrade with kubectl version.
🔧 Temporary Workarounds
Restrict API Server Access
linuxLimit network access to Kubernetes API server using firewall rules or network policies.
iptables -A INPUT -p tcp --dport 6443 -s trusted_ip_range -j ACCEPT
iptables -A INPUT -p tcp --dport 6443 -j DROP
Strengthen RBAC Policies
allRemove anonymous access and restrict authenticated user permissions to minimum required.
kubectl delete clusterrolebinding system:anonymous
kubectl delete clusterrolebinding system:unauthenticated
🧯 If You Can't Patch
- Implement strict network segmentation and firewall rules to limit API server access to trusted sources only.
- Apply restrictive RBAC policies to eliminate anonymous access and minimize authenticated user permissions.
🔍 How to Verify
Check if Vulnerable:
Check Kubernetes version with kubectl version and compare against affected versions. Also verify RBAC policies for anonymous access.Check Version:
kubectl version --shortVerify Fix Applied:
Confirm Kubernetes version is v1.13.12+, v1.14.8+, v1.15.5+, or v1.16.2+ using kubectl version. Test API server functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual CPU/memory spikes in API server metrics
- Multiple large YAML/JSON payload requests
- API server crash/restart events
Network Indicators:
- High volume of requests to API server endpoints (6443, 8080)
- Large payload sizes in API requests
SIEM Query:
source="kube-apiserver" AND ("out of memory" OR "panic" OR "crash") OR (request_size > 1000000)🔗 References
- https://access.redhat.com/errata/RHSA-2019:3239
- https://access.redhat.com/errata/RHSA-2019:3811
- https://access.redhat.com/errata/RHSA-2019:3905
- https://github.com/kubernetes/kubernetes/issues/83253
- https://groups.google.com/forum/#%21topic/kubernetes-security-announce/jk8polzSUxs
- https://security.netapp.com/advisory/ntap-20191031-0006/
- https://access.redhat.com/errata/RHSA-2019:3239
- https://access.redhat.com/errata/RHSA-2019:3811
- https://access.redhat.com/errata/RHSA-2019:3905
- https://github.com/kubernetes/kubernetes/issues/83253
- https://groups.google.com/forum/#%21topic/kubernetes-security-announce/jk8polzSUxs
- https://security.netapp.com/advisory/ntap-20191031-0006/
