On Wednesday, the Kubernetes Product Security Committee disclosed two new vulnerabilities affecting all versions. The issues are related to eight attack methods on HTTP/2 implementations found and released two weeks ago by security researchers from Google and Netflix.
HTTP/2 is a protocol designed to replace long-lived HTTP/1.1 with features that better suit the modern needs of HTTP use cases and improve performance. The HTTP/2 specification was released in 2015 and has since been widely adopted by web server applications.
In a security advisory, Netflix revealed that engineer Jonathan Looney had determined that many HTTP/2 implementations are vulnerable to multiple denial-of-service vulnerabilities. The advisory also lists one vulnerability type that was discovered by Piotr Sikora from Google’s Envoy security team.
The advisory describes eight attacks (CVE-2019-9510, CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9515, CVE-2019-9516, CVE-2019-9517 and CVE-2019-9518) that can exhaust the servers of either CPU or memory, or both, potentially resulting in their denial of service. While each attack is not specific to an implementation, each implementation may be vulnerable to one or more of these attacks. A table describing how these vulnerabilities affect more than 230 vendors is provided on the CERT/CC information page.
The Go language was found to be vulnerable to two of these attacks, CVE-2019-9512 and CVE-2019-9514, in its two official HTTP implementation packages, net/http and golang.org/x/net/http2. Two official Golang revisions were released, go1.12.8 and go1.11.13, which are not vulnerable to the attacks.
Kubernetes was identified as being vulnerable to these attacks as it is written in the Go language and relies on its HTTP implementation. The Kubernetes team released three versions built with the immune Golang compilers. The fixed versions are Kubernetes v1.15.3, v1.14.6 and v1.13.10.
The Kubernetes announcement mentioned any Kubernetes component that allows for HTTP/2 connections may be vulnerable to the attacks in all previously released versions.
While Twistlock is written primarily in Go, it is not vulnerable to this class of attacks because of other mitigations already in place within our software.
As ecosystem vendors assess the impact to their own Kubernetes distributions, Twistlock’s Intelligence Stream will automatically update to include these findings. These vulnerabilities will then be detected within customer environments automatically, with no user interaction required.