Alibaba Cloud has fixed the Kubernetes vulnerability CVE-2019-11253 in Container Service for Kubernetes (ACK). This topic describes the impacts and how to fix this vulnerability in earlier versions.

Background information

The Kubernetes vulnerability CVE-2019-11253 was disclosed by the Kubernetes community. Kubernetes users can send POST requests with forged YAML files to launch Denial-of-Service (DoS) attacks against Kubernetes clusters. Alibaba Cloud has fixed this vulnerability in ACK at the earliest opportunity. Log on to the ACK console to upgrade your ACK clusters.

For more information about the Kubernetes vulnerability CVE-2019-11253, see CVE-2019-11253.

Affected versions

  • Kubernetes v1.0.x~1.12.x
  • Kubernetes v1.13.0 to 1.13.11 (fixed in 1.13.12)
  • Kubernetes v1.14.0 to 1.14.7 (fixed in 1.14.8)
  • Kubernetes v1.15.0 to 1.15.4 (fixed in 1.15.5)
  • Kubernetes v1.16.0 to 1.16.1 (fixed in 1.16.2)

Fixes

Log on to the the ACK console to upgrade your ACK clusters to 1.14.8. For more information about how to upgrade an ACK cluster and the considerations to which you must pay attention, see Upgrade a cluster.

If you cannot immediately upgrade your ACK clusters, perform the following operations to reduce the risks caused by this vulnerability and perform an upgrade at a later time.

  • You can follow the principle of least privilege (POLP) and grant Resource Access Management (RAM) users the minimum permissions on the ACK cluster that they need to access. Do not grant the RAM users the permissions to create or modify ACK clusters. For more information, see Overview.
  • You can also use your Alibaba Cloud account to revoke KubeConfig credentials from users that may be exposed to the risk of disclosing their KubeConfig credentials.