CVE-2019-11253

Yesterday a notice for CVE-2019-11253 with a severity of High went out, impacting all versions of Kubernetes.

CVE-2019-11253 is a denial of service vulnerability in the kube-apiserver, allowing authorized users sending malicious YAML or JSON payloads to cause kube-apiserver to consume excessive CPU or memory, potentially crashing and becoming unavailable. This vulnerability has been given an initial severity of High, with a score of 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Prior to v1.14.0, default RBAC policy authorized anonymous users to submit requests that could trigger this vulnerability. Clusters upgraded from a version prior to v1.14.0 keep the more permissive policy by default for backwards compatibility. See the mitigation section below for instructions on how to install the more restrictive v1.14+ policy.

While we’re phasing out our K8s 1.11.10 clusters, they won’t get new updates so we’ve deployed mitigations across all our managed clusters.

Both our KOPS-based and EKS clusters have mitigations for this vulnerability in place and you don’t require to take further action.