kubernetes: YAML parsing vulnerable to "Billion Laughs" attack, allowing for remote denial of service

A flaw was found kubernetes. The parsing of YAML manifests by the Kubernetes API server could lead to a denial-of-service attack leaving it vulnerable to an instance of a "billion laughs" attack. The highest threat from this vulnerability is to system availability...

Moderate: Red Hat Security Advisory: OpenShift Container Platform 3.11 atomic-openshift security update

An update for atomic-openshift is now available for Red Hat OpenShift Container Platform 3.11. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for ea...

CVE-2020-10752

A flaw was found in the OpenShift API Server, where it failed to sufficiently protect OAuthTokens by leaking them into the logs when an API Server panic occurred. This flaw allows an attacker with the ability to cause an API Server error to read the logs, and use the leaked OAuthToken to log into...

CVE-2020-10752

A flaw was found in the OpenShift API Server, where it failed to sufficiently protect OAuthTokens by leaking them into the logs when an API Server panic occurred. This flaw allows an attacker with the ability to cause an API Server error to read the logs, and use the leaked OAuthToken to log into...

Design/Logic Flaw

A flaw was found in the OpenShift API Server, where it failed to sufficiently protect OAuthTokens by leaking them into the logs when an API Server panic occurred. This flaw allows an attacker with the ability to cause an API Server error to read the logs, and use the leaked OAuthToken to log into...

CVE-2020-10752

A flaw was found in the OpenShift API Server, where it failed to sufficiently protect OAuthTokens by leaking them into the logs when an API Server panic occurred. This flaw allows an attacker with the ability to cause an API Server error to read the logs, and use the leaked OAuthToken to log into...

CVE-2020-10752

CVE-2020-10752 — OpenShift API Server leaks OAuthTokens into logs during panics, enabling an attacker who can trigger an API error to read logs and reuse the leaked token to authenticate. Public details in provided documents confirm the vulnerability and its access/impact but do not include produ...

Misconfigured Kubeflow workloads are a security risk

Azure Security Center ASC monitors and defends thousands of Kubernetes clusters running on top of AKS. Azure Security Center regularly searches for and research for new attack vectors against Kubernetes workloads. We recently published a blog post about a large scale campaign against Kubernetes...

CVE-2020-10752

A flaw was found in the OpenShift API Server, where it failed to sufficiently protect OAuthTokens by leaking them into the logs when an API Server panic occurred. This flaw allows an attacker with the ability to cause an API Server error to read the logs, and use the leaked OAuthToken to log into...

kubernetes: Use of unbounded 'client' label in apiserver_request_total allows for memory exhaustion

A denial of service vulnerability was found in the Kubernetes API server. This flaw allows a remote attacker to send repeated, crafted HTTP requests to exhaust available memory and cause a crash...

Kubernetes: Bypass apiserver proxy filter

Report Submission Form Summary: TL,DR: Time-of-check apiserver proxy filter Time-of-use apiserver proxy request Race Condition. When the apiserver is proxying a request to a node though one of its addresses, it performs a filter validation. If the address type is a DNS record Hostname, ExternalDN...

kubernetes: Use of unbounded 'client' label in apiserver_request_total allows for memory exhaustion

A denial of service vulnerability was found in the Kubernetes API server. This flaw allows a remote attacker to send repeated, crafted HTTP requests to exhaust available memory and cause a crash...

Official Government COVID-19 Mobile Apps Hide a Raft of Threats

A rash of COVID-19 Android mobile apps have emerged that are aimed at helping citizens in Iran, Italy and Colombia track symptoms and virus infections. However, they’re also putting people’s privacy and the security of their data at risk, researchers have found. Security researchers at the ZeroFO...

CVE-2019-11254

The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML...

Code injection

The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML...

CVE-2019-11254

CVE-2019-11254 affects the Kubernetes API Server. An authorized user can send malicious YAML to cause the kube-apiserver to consume excessive CPU during YAML parsing. Affected: Kubernetes API Server versions 1.1–1.14 and pre-1.15.10, pre-1.16.7, and pre-1.17.3. Impact: potential resource exhausti...

CVE-2019-11254 Kubernetes API Server denial of service vulnerability from malicious YAML payloads

The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML...

CVE-2019-11254

The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML...

kubernetes: Use of unbounded 'client' label in apiserver_request_total allows for memory exhaustion

A denial of service vulnerability was found in the Kubernetes API server. This flaw allows a remote attacker to send repeated, crafted HTTP requests to exhaust available memory and cause a crash...

CVE-2019-11254

The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML. Mitigation Prevent unauthenticated or unauthorized...