What is the vulnerability ID for this denial of service vulnerability?

The vulnerability ID for this denial of service vulnerability is CVE-2019-1002100.

What is the severity level of CVE-2019-1002100?

The severity level of CVE-2019-1002100 is medium with a score of 6.5.

Which versions of Kubernetes are affected by CVE-2019-1002100?

All Kubernetes versions prior to v1.11.8, v1.12.6, and v1.13.4 are affected by CVE-2019-1002100.

What is the recommended remedy for CVE-2019-1002100?

The recommended remedy for CVE-2019-1002100 is to update Kubernetes to version 1.11.8, 1.12.6, or 1.13.4.

Where can I find more information about CVE-2019-1002100?

You can find more information about CVE-2019-1002100 on the NIST NVD website, the Kubernetes GitHub page, and the Red Hat errata page.

Vulnerability/
CVE-2019-1002100

medium

6.5

CWE

770 20 400

26/2/2019

28/2/2019

1/4/2019

13/5/2022

5/8/2024

CVE-2019-1002100: Input Validation

First published: Tue Feb 26 2019(Updated: )

In all Kubernetes versions prior to v1.11.8, v1.12.6, and v1.13.4, users that are authorized to make patch requests to the Kubernetes API Server can send a specially crafted patch of type "json-patch" (e.g. `kubectl patch --type json` or `"Content-Type: application/json-patch+json"`) that consumes excessive resources while processing, causing a Denial of Service on the API Server.

Credit: josh@bress.net josh@bress.net

Affected Software	Affected Version	How to fix
go/k8s.io/kubernetes	>=1.13.0<=1.13.3	1.13.4
go/k8s.io/kubernetes	>=1.12.0<=1.12.5	1.12.6
go/k8s.io/kubernetes	>=1.11.0<=1.11.7	1.11.8
go/k8s.io/kubernetes	>=1.0<=1.10
redhat/kube-apiserver	<1.11.8	1.11.8
redhat/kube-apiserver	<1.12.6	1.12.6
redhat/kube-apiserver	<1.13.4	1.13.4
redhat/atomic-openshift	<0:3.10.181-1.git.0.3ab4b3d.el7	0:3.10.181-1.git.0.3ab4b3d.el7
redhat/atomic-openshift	<0:3.11.129-1.git.0.bd4f2d5.el7	0:3.11.129-1.git.0.bd4f2d5.el7
redhat/jenkins	<2-plugins-0:3.11.1560870549-1.el7	2-plugins-0:3.11.1560870549-1.el7
Kubernetes Kubernetes	<1.11.8
Kubernetes Kubernetes	>=1.12.0<1.12.6
Kubernetes Kubernetes	>=1.13.0<1.13.4
Redhat Openshift Container Platform	=3.10
Redhat Openshift Container Platform	=3.11

Remedy

Remove ‘patch’ permissions from untrusted users.

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

What is the vulnerability ID for this denial of service vulnerability?
The vulnerability ID for this denial of service vulnerability is CVE-2019-1002100.
What is the severity level of CVE-2019-1002100?
The severity level of CVE-2019-1002100 is medium with a score of 6.5.
Which versions of Kubernetes are affected by CVE-2019-1002100?
All Kubernetes versions prior to v1.11.8, v1.12.6, and v1.13.4 are affected by CVE-2019-1002100.
What is the recommended remedy for CVE-2019-1002100?
The recommended remedy for CVE-2019-1002100 is to update Kubernetes to version 1.11.8, 1.12.6, or 1.13.4.
Where can I find more information about CVE-2019-1002100?
You can find more information about CVE-2019-1002100 on the NIST NVD website, the Kubernetes GitHub page, and the Red Hat errata page.

collector/github-advisory-latest
alias/GHSA-q4rr-64r9-fwgf
alias/CVE-2019-1002100
collector/github-advisory
collector/redhat-cve
collector/nvd-index
collector/nvd-cve
agent/author
agent/type
agent/last-modified-date
agent/first-publish-date
agent/softwarecombine
agent/severity
agent/references
agent/weakness
agent/remedy
agent/description
collector/redhat-bugzilla
source/Red Hat
agent/software-canonical-lookup
agent/tags
agent/event
collector/mitre-cve
source/MITRE
package-manager/go
package-manager/redhat
vendor/kubernetes
canonical/kubernetes kubernetes
version/kubernetes kubernetes/1.12.0
version/kubernetes kubernetes/1.13.0
vendor/redhat
canonical/redhat openshift container platform
version/redhat openshift container platform/3.10
version/redhat openshift container platform/3.11