Lucene search

K
ibmIBME41C4E73B2D6A729297622899F0445D1D6654AF53C6E5B76B336427EA1BE4281
HistoryOct 26, 2023 - 2:34 p.m.

Security Bulletin: IBM Cloud Kubernetes Service is affected by Kubernetes Ingress Controller security vulnerabilities (CVE-2023-44487)

2023-10-2614:34:53
www.ibm.com
42
ibm cloud
kubernetes service
http/2
denial of service
cve-2023-44487
alb
vulnerability
automatic updates

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.708

Percentile

98.1%

Summary

IBM Cloud Kubernetes Service is affected by a Kubernetes Ingress Controller security vulnerability that exploits HTTP/2 protocol by allowing a denial of service because request cancellation can reset many streams quickly (CVE-2023-44487).

Vulnerability Details

CVE-2023-44487
Description:
The HTTP/2 protocol is vulnerable to a denial of service, caused by an uncontrolled server resource consumption flaw, because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. By sending specially crafted requests using HTTP/2 client, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base Score: 7.5
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/268645&gt; for more information
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

IBM Cloud Kubernetes Service clusters with Kubernetes Ingress application load balancers (ALBs) with versions below 1.8.4_5586_iks.

Remediation/Fixes

ALB version 1.8.4_5586_iks contains fixes for this vulnerability and will be marked as the default version for ALBs. Automatic updates to Ingress ALBs are enabled by default, therefore ALBs are automatically updated by IBM when a new default image version is available.

To verify your IBM Cloud Kubernetes Service clusters with Kubernetes Ingress application load balancers (ALBs) are no longer exposed to this vulnerability, use the following IBM Cloud CLI command to list all Ingress ALB IDs in a cluster to confirm the version:

ibmcloud ks ingress alb ls

If the versions are at the following version or later, they are no longer exposed to this vulnerability:

If the version has not automatically updated then use the following IBM Cloud CLI command to check the configuration of autoupdates:

ibmcloud ks ingress alb autoupdate get

If automatic updates for the Ingress ALBs are disabled, you can force a one-time update of your ALBs with the following command:

ibmcloud ks ingress alb update --version 1.8.4_5586_iks

After you force a one-time update, automatic updates remain disabled. You can use the following IBM Cloud CLI command to re-enable the automatic updates by IBM when a new default image version is available:

ibmcloud ks ingress alb autoupdate enable

Affected configurations

Vulners
Node
ibmibm_cloud_kubernetes_service_and_red_hat_openshift_on_ibm_cloudMatchany

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.708

Percentile

98.1%