Hello Kubernetes Community,

A security issue has been found in the net/http library of the Go language that affects all versions and all components of Kubernetes. The vulnerabilities can result in a DoS against any process with an HTTP or HTTPS listener.

Am I vulnerable?

Yes. All versions of Kubernetes are affected.

Go has released versions go1.12.8 and go1.11.13, and we have released the following versions of Kubernetes built using patched versions of Go.

Kubernetes v1.15.3 - go1.12.9

Kubernetes v1.14.6 - go1.12.9

Kubernetes v1.13.10 - go1.11.13

How do I mitigate the vulnerability?

Upgrade to a patched version of Kubernetes, listed above.

How do I upgrade?

You can follow the upgrade instructions at Cluster Management - Kubernetes

Vulnerability details

Netflix recently announced a security advisory that identified several Denial of Service attack vectors that can affect server implementations of the HTTP/2 protocol, and has issued eight CVEs. [1]

Go is affected by two of the vulnerabilities (CVE-2019-9512 and CVE-2019-9514) and so Kubernetes components that serve HTTP/2 traffic (including /healthz) are also affected. [2]

These vulnerabilities allow untrusted clients to allocate an unlimited amount of memory, until the server crashes. The Product Security Committee has assigned this set of vulnerabilities with a CVSS score of 7.5 [3]

[1]. https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md

[2]. https://golang.org/doc/devel/release.html#go1.12

[3]. https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Thank you

Thanks to Jonathan Looney from Netflix for discovering and reporting these issues to the Go community.

Thanks to Christoph Blecker, Benjamin Elder, and Tim Pepper for coordinating the fix and release.

Thank You,

Micah Hausler on behalf of the Kubernetes Product Security Committee