Container Service for Kubernetes has included a fix for CVE-2019-11253. This topic describes the impact of this vulnerability and how to fix it.

Background

The Kubernetes community discovered a vulnerability named CVE-2019-11253. Kubernetes users can make POST requests to launch a denial-of-service (DoS) attack on a Kubernetes API server by sending malicious YAML files. Container Service for Kubernetes has upgraded Kubernetes to include fixes for this vulnerability. We recommend that you go to the console and upgrade your Kubernetes cluster.

For more information about CVE-2019-11253, see CVE-2019-11253.

Affected versions

  • Kubernetes v1.0.x - 1.12.x
  • Kubernetes v1.13.0-1.13.11 (fixed in 1.13.12)
  • Kubernetes v1.14.0-1.14.7 (fixed in 1.14.8)
  • Kubernetes v1.15.0-1.15.4 (fixed in 1.15.5)
  • Kubernetes v1.16.0-1.16.1 (fixed in 1.16.2)

Fix

Log on to the Container Service console and upgrade Kubernetes to 1.14.8. For more information, see Upgrade a cluster.

If you cannot upgrade your cluster immediately for certain reasons, you can perform the following operations to reduce the risks caused by this vulnerability and perform the upgrade later.

  • You can implement the principle of least privilege (POLP) and grant the minimum permissions necessary to enable RAM users to perform their tasks. For more information, see Overview.
  • You can use your Alibaba Cloud account to revoke KubeConfigs that may have been compromised.