Any comments about billion laughs vulnerability CVE-2019-11253? #1262
Comments
|
(Whilst I'm not MS I know a bit about this vuln) The issue will occur wherever it is possible for a user to send YAML to the API Server or other service that will process YAML. If There are patches in upstream Kubernetes coming out and I believe they are due to drop on the 15th October kubernetes/kubernetes#83253 |
|
I did some digging into this and you can pull the config to confirm anonymous auth is false with this `kubectl proxy --port=8001 & NODE_NAME="YOUR-AKS-NODE-NAME"; curl -sSL "http:https://localhost:8001/api/v1/nodes/${NODE_NAME}/proxy/configz" | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' > kubelet_configz_${NODE_NAME}` Microsoft also has this in preview if you like living on the bleeding edge. |
|
That query will cover you for kubelet but probably not for the API server (not sure if there's a good way to see API server startup flags with AKS as it's a managed process) You could get your public API server and hit it with curl though Even if anonymous auth is enabled it doesn't necessarily expose you to this issue, unless an endpoint which allows for YAML to be POST'ed to the API server is exposed. |
|
Yes it's off on AKS --anonymous-auth=false Thanks for your answers @raesene I'll pin this for a while for info and then close |
|
Closing |
ghost
locked as resolved and limited conversation to collaborators
Just a question if you could comment about the 'billion laughs' vulnerability ?
I think that the api server and kubelets are running with --anonymous-auth=false.
But the api server is exposed on the internet.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11253
https://thenewstack.io/kubernetes-billion-laughs-vulnerability-is-no-laughing-matter
The text was updated successfully, but these errors were encountered: