-
Notifications
You must be signed in to change notification settings - Fork 300
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Any comments about billion laughs vulnerability CVE-2019-11253? #1262
Comments
(Whilst I'm not MS I know a bit about this vuln) The issue will occur wherever it is possible for a user to send YAML to the API Server or other service that will process YAML. If There are patches in upstream Kubernetes coming out and I believe they are due to drop on the 15th October kubernetes/kubernetes#83253 |
I did some digging into this and you can pull the config to confirm anonymous auth is false with this `kubectl proxy --port=8001 & NODE_NAME="YOUR-AKS-NODE-NAME"; curl -sSL "http:https://localhost:8001/api/v1/nodes/${NODE_NAME}/proxy/configz" | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' > kubelet_configz_${NODE_NAME}` Microsoft also has this in preview if you like living on the bleeding edge. |
That query will cover you for kubelet but probably not for the API server (not sure if there's a good way to see API server startup flags with AKS as it's a managed process) You could get your public API server and hit it with curl though Even if anonymous auth is enabled it doesn't necessarily expose you to this issue, unless an endpoint which allows for YAML to be POST'ed to the API server is exposed. |
Yes it's off on AKS --anonymous-auth=false Thanks for your answers @raesene I'll pin this for a while for info and then close |
Closing |
Just a question if you could comment about the 'billion laughs' vulnerability ?
I think that the api server and kubelets are running with --anonymous-auth=false.
But the api server is exposed on the internet.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11253
https://thenewstack.io/kubernetes-billion-laughs-vulnerability-is-no-laughing-matter
The text was updated successfully, but these errors were encountered: