CVSS Rating: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (Medium)

The Kubelet has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP read-only API typically served on port 10255, and the authenticated HTTPS API typically served on port 10250.

Am I vulnerable?

If an attacker can make a request to an unpatched kubelet, then you may be vulnerable to this.

Affected Versions

• kubelet v1.17.0 - v1.17.2
• kubelet v1.16.0 - v1.16.6
• kubelet v1.15.0 - v1.15.9

How do I mitigate this vulnerability?

Limit access to the Kubelet API or patch the Kubelet.

Fixed Versions

• v1.17.3
• v1.16.7
• v1.15.10

To upgrade, refer to the documentation: https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster

Acknowledgements

This vulnerability was reported by: Henrik Schmidt

/area security
/kind bug
/committee product-security
/sig node
/area kubelet