Vulnerability Name: CVE-2019-11253 (CCN-168618) Assigned: 2019-09-28 Published: 2019-09-28 Updated: 2020-10-02 Summary: Improper input validation in the Kubernetes API server in versions v1.0-1.12 and versions prior to v1.13.12, v1.14.8, v1.15.5, and v1.16.2 allows authorized users to send malicious YAML or JSON payloads, causing the API server to consume excessive CPU or memory, potentially crashing and becoming unavailable. Prior to v1.14.0, default RBAC policy authorized anonymous users to submit requests that could trigger this vulnerability. Clusters upgraded from a version prior to v1.14.0 keep the more permissive policy by default for backwards compatibility. CVSS v3 Severity: 7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): NoneIntegrity (I): NoneAvailibility (A): High
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): NoneIntegrity (I): NoneAvailibility (A): High
CVSS v2 Severity: 5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAuthentication (Au): NoneImpact Metrics: Confidentiality (C): NoneIntegrity (I): NoneAvailibility (A): Partial
7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAthentication (Au): NoneImpact Metrics: Confidentiality (C): NoneIntegrity (I): NoneAvailibility (A): Complete
Vulnerability Type: CWE-776 Vulnerability Consequences: Denial of Service References: Source: MITRECVE-2019-11253 RHSA-2019:3239 RHSA-2019:3811 RHSA-2019:3905 (CVE-2019-11253) - CVE-2019-11253 kubernetes: YAML parsing vulnerable to "Billion Laughs" attack, allowing for remote denial of service kubernetes-api-cve201911253-dos(168618) https://github.com/kubernetes/kubernetes/issues/83253 CVE-2019-11253: denial of service vulnerability from malicious YAML or JSON payloads Kubernetes https://security.netapp.com/advisory/ntap-20191031-0006/ Multiple Vulnerabilities in Kubernetes affects IBM Watson Studio Local IBM API Connect is impacted by a vulnerability in Kubernetes(CVE-2019-11253) A security vulnerability has been identified in Kubernetes shipped with PowerAI Vision Security Vulnerabilities affect IBM Cloud Private - Kubernetes (CVE-2019-17110, CVE-2019-10223, CVE-2019-11253) Open Source Security issues for AWS storage layer in NPS. Open Source Secuity issues fixed for NPS softlayer provisioner. Open Source Security issues for NPS service provider Multiple vulnerabilities in Kubernetes affect IBM InfoSphere Information Server Multiple vulnerabilities affect IBM Db2 On Openshift and IBM Db2 and Db2 Warehouse on Cloud Pak for Data IBM CICS TX Standard is vulnerable to multiple vulnerabilities in Golang Go and Kubernetes. IBM CICS TX Advanced is vulnerable to multiple vulnerabilities in Golang Go and Kubernetes. IBM Cloud Pak for Security includes components with multiple known vulnerabilities Vulnerable Configuration: Configuration 1 :cpe:/a:kubernetes:kubernetes:*:*:*:*:*:*:*:* (Version >= 1.1.0 and <= 1.12.10)OR cpe:/a:kubernetes:kubernetes:*:*:*:*:*:*:*:* (Version >= 1.13.0 and < 1.13.2) OR cpe:/a:kubernetes:kubernetes:*:*:*:*:*:*:*:* (Version >= 1.14.0 and < 1.14.8) OR cpe:/a:kubernetes:kubernetes:*:*:*:*:*:*:*:* (Version >= 1.15.0 and < 1.15.5) OR cpe:/a:kubernetes:kubernetes:*:*:*:*:*:*:*:* (Version >= 1.16.0 and < 1.16.2) Configuration 2 :cpe:/a:redhat:openshift_container_platform:3.9:*:*:*:*:*:*:* OR cpe:/a:redhat:openshift_container_platform:3.10:*:*:*:*:*:*:* OR cpe:/a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:* Configuration CCN 1 :cpe:/a:kubernetes:kube-apiserver:1.0.0:*:*:*:*:*:*:* OR cpe:/a:kubernetes:kube-apiserver:1.1:*:*:*:*:*:*:* OR cpe:/a:kubernetes:kube-apiserver:1.2:*:*:*:*:*:*:* OR cpe:/a:kubernetes:kube-apiserver:1.3:*:*:*:*:*:*:* OR cpe:/a:kubernetes:kube-apiserver:1.4:*:*:*:*:*:*:* OR cpe:/a:kubernetes:kube-apiserver:1.5:*:*:*:*:*:*:* OR cpe:/a:kubernetes:kube-apiserver:1.6:*:*:*:*:*:*:* OR cpe:/a:kubernetes:kube-apiserver:1.7:*:*:*:*:*:*:* OR cpe:/a:kubernetes:kube-apiserver:1.8:*:*:*:*:*:*:* OR cpe:/a:kubernetes:kube-apiserver:1.9:*:*:*:*:*:*:* OR cpe:/a:kubernetes:kube-apiserver:1.10:*:*:*:*:*:*:* OR cpe:/a:kubernetes:kube-apiserver:1.11:*:*:*:*:*:*:* OR cpe:/a:kubernetes:kube-apiserver:1.11.1:*:*:*:*:*:*:* OR cpe:/a:kubernetes:kube-apiserver:1.11.2:*:*:*:*:*:*:* OR cpe:/a:kubernetes:kube-apiserver:1.11.3:*:*:*:*:*:*:* OR cpe:/a:kubernetes:kube-apiserver:1.11.4:*:*:*:*:*:*:* OR cpe:/a:kubernetes:kube-apiserver:1.11.5:*:*:*:*:*:*:* OR cpe:/a:kubernetes:kube-apiserver:1.11.6:*:*:*:*:*:*:* OR cpe:/a:kubernetes:kube-apiserver:1.11.7:*:*:*:*:*:*:* OR cpe:/a:kubernetes:kube-apiserver:1.12.0:*:*:*:*:*:*:* OR cpe:/a:kubernetes:kube-apiserver:1.12.1:*:*:*:*:*:*:* OR cpe:/a:kubernetes:kube-apiserver:1.12.2:*:*:*:*:*:*:* OR cpe:/a:kubernetes:kube-apiserver:1.12.3:*:*:*:*:*:*:* OR cpe:/a:kubernetes:kube-apiserver:1.12.4:*:*:*:*:*:*:* OR cpe:/a:kubernetes:kube-apiserver:1.12.5:*:*:*:*:*:*:* OR cpe:/a:kubernetes:kube-apiserver:1.13.0:*:*:*:*:*:*:* OR cpe:/a:kubernetes:kube-apiserver:1.13.1:*:*:*:*:*:*:* OR cpe:/a:kubernetes:kube-apiserver:1.13.2:*:*:*:*:*:*:* OR cpe:/a:kubernetes:kube-apiserver:1.13.3:*:*:*:*:*:*:* AND cpe:/a:ibm:infosphere_information_server:11.7:*:*:*:*:*:*:* OR cpe:/a:ibm:api_connect:2018.4.1:*:*:*:*:*:*:* OR cpe:/a:ibm:watson_studio_local:1.2.3:*:*:*:*:*:*:* OR cpe:/a:ibm:powerai_vision:1.1.4:*:*:*:*:*:*:* OR cpe:/a:ibm:cloud_private:3.2.0:cd:*:*:*:*:*:* OR cpe:/a:ibm:cloud_private:3.2.1:cd:*:*:*:*:*:* OR cpe:/a:ibm:api_connect:2018.4.1.8:*:*:*:*:*:*:* OR cpe:/a:ibm:powerai_vision:1.1.3:*:*:*:*:*:*:* OR cpe:/a:ibm:db2_warehouse:3.5:-:*:*:*:*:*:* OR cpe:/a:ibm:db2_warehouse:4.0:-:*:*:*:*:*:* OR cpe:/a:ibm:db2:3.5:-:*:*:*:*:*:* OR cpe:/a:ibm:db2:4.0:-:*:*:*:*:*:* OR cpe:/a:ibm:cics_tx:11.1:*:*:*:standard:*:*:* OR cpe:/a:ibm:cics_tx:11.1:*:*:*:advanced:*:*:* OR cpe:/a:ibm:cloud_pak_for_security:1.10.0.0:*:*:*:*:*:*:* Oval Definitions BACK
kubernetes kubernetes *
kubernetes kubernetes *
kubernetes kubernetes *
kubernetes kubernetes *
kubernetes kubernetes *
redhat openshift container platform 3.9
redhat openshift container platform 3.10
redhat openshift container platform 3.11
kubernetes kube-apiserver 1.0.0
kubernetes kube-apiserver 1.1
kubernetes kube-apiserver 1.2
kubernetes kube-apiserver 1.3
kubernetes kube-apiserver 1.4
kubernetes kube-apiserver 1.5
kubernetes kube-apiserver 1.6
kubernetes kube-apiserver 1.7
kubernetes kube-apiserver 1.8
kubernetes kube-apiserver 1.9
kubernetes kube-apiserver 1.10
kubernetes kube-apiserver 1.11
kubernetes kube-apiserver 1.11.1
kubernetes kube-apiserver 1.11.2
kubernetes kube-apiserver 1.11.3
kubernetes kube-apiserver 1.11.4
kubernetes kube-apiserver 1.11.5
kubernetes kube-apiserver 1.11.6
kubernetes kube-apiserver 1.11.7
kubernetes kube-apiserver 1.12.0
kubernetes kube-apiserver 1.12.1
kubernetes kube-apiserver 1.12.2
kubernetes kube-apiserver 1.12.3
kubernetes kube-apiserver 1.12.4
kubernetes kube-apiserver 1.12.5
kubernetes kube-apiserver 1.13.0
kubernetes kube-apiserver 1.13.1
kubernetes kube-apiserver 1.13.2
kubernetes kube-apiserver 1.13.3
ibm infosphere information server 11.7
ibm api connect 2018.4.1
ibm watson studio local 1.2.3
ibm powerai vision 1.1.4
ibm cloud private 3.2.0 cd
ibm cloud private 3.2.1 cd
ibm api connect 2018.4.1.8
ibm powerai vision 1.1.3
ibm db2 warehouse 3.5 -
ibm db2 warehouse 4.0 -
ibm db2 3.5 -
ibm db2 4.0 -
ibm cics tx 11.1
ibm cics tx 11.1
ibm cloud pak for security 1.10.0.0
Denotes that component is vulnerable