CVE-2024-0793
📋 TL;DR
A denial-of-service vulnerability in kube-controller-manager occurs when applying a Horizontal Pod Autoscaler (HPA) configuration YAML file that lacks a .spec.behavior.scaleUp block. This causes kube-controller-manager pods to enter a restart loop, disrupting Kubernetes cluster operations. This affects Kubernetes administrators managing clusters with HPA configurations.
💻 Affected Systems
- Kubernetes
- OpenShift Container Platform
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete disruption of kube-controller-manager functionality, preventing scaling operations and potentially affecting cluster stability and application availability.
Likely Case
Intermittent kube-controller-manager restarts causing temporary scaling operation failures and increased cluster management overhead.
If Mitigated
Minimal impact with proper configuration validation and monitoring in place.
🎯 Exploit Status
Exploitation requires cluster administrator privileges to apply HPA configurations. The vulnerability is triggered through legitimate administrative actions rather than malicious payloads.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kubernetes 1.28.8, 1.29.3, 1.30.0-alpha.3; OpenShift Container Platform 4.15.1
Vendor Advisory: https://access.redhat.com/security/cve/CVE-2024-0793
Restart Required: Yes
Instructions:
1. Update Kubernetes to patched versions. 2. For OpenShift: Update cluster using 'oc adm upgrade' or through web console. 3. Restart kube-controller-manager pods after update.
🔧 Temporary Workarounds
Validate HPA configurations before applying
allEnsure all HPA YAML configurations include .spec.behavior.scaleUp blocks before applying to cluster
kubectl apply --dry-run=server -f hpa-config.yaml
oc apply --dry-run=server -f hpa-config.yaml
🧯 If You Can't Patch
- Implement strict change control for HPA configurations with pre-application validation
- Monitor kube-controller-manager pod restarts and implement alerting for abnormal restart patterns
🔍 How to Verify
Check if Vulnerable:
Check Kubernetes version: kubectl version --short | grep Server. If version is before 1.28.8, 1.29.3, or 1.30.0-alpha.3, system is vulnerable.Check Version:
kubectl version --shortVerify Fix Applied:
After patching, verify version is updated and attempt to apply a test HPA configuration without .spec.behavior.scaleUp block to confirm no restart occurs.📡 Detection & Monitoring
Log Indicators:
- Frequent kube-controller-manager pod restarts in short timeframes
- Error logs mentioning HPA configuration parsing failures
Network Indicators:
- Increased API server load from controller manager restarts
SIEM Query:
kubernetes.pod.name:"kube-controller-manager" AND kubernetes.event.type:"Warning" AND message:"restarting"