The Kubernetes community has disclosed the CVE-2021-3121 vulnerability. This vulnerability allows a remote attacker to send crafted protobuf messages, which cause panics and result in a denial of service. If an earlier version of the gogo protobuf compiler is used in your Kubernetes cluster, the compiler may be affected by this vulnerability. This topic describes the impacts, affected components, and fixes of this vulnerability.

Impacts

The system components of Kubernetes can automatically recover when a panic occurs. The crafted protobuf messages cannot cause service interruptions. Therefore, the Kubernetes system components are not affected by this vulnerability.

Programs are affected by this vulnerability if they need to accept and handle protobuf messages but their components cannot gracefully handle panics. The attacks may result in a denial of service.

Affected versions

The Kubernetes community has tested and verified that the API server is not affected by this vulnerability. However, the Kubernetes community has updated related protobuf files to fix the vulnerability. The vulnerability is fixed in the following protobuf versions:

Fixes

If your application uses the automatically generated protobuf messages and you find a process that exits with messages similar to the following, an attacker may be exploiting this vulnerability:

panic: runtime error: index out of range [-9223372036854775804]

goroutine 1 [running]:

v1.(*MessageName).Unmarshal(0xc000057ef8, 0xc0000161a0, 0xa, 0x10, 0xc000057ec8, 0x1)

        .../protofile.pb.go:250 +0xb86

If you are using components related to protobuf messages, we recommend that you upgrade the gogo protobuf compiler to a patched version (v1.3.2 or later) and regenerate affected protobuf messages with the updated protobuf compiler.