cvelistv5 - cve-2023-32187

CVE-2023-32187 (GCVE-0-2023-32187)

Vulnerability from cvelistv5

Published

2023-09-18 12:04

Modified

2024-09-25 20:48

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-770 - Allocation of Resources Without Limits or Throttling

Summary

An Allocation of Resources Without Limits or Throttling vulnerability in SUSE k3s allows attackers with access to K3s servers' apiserver/supervisor port (TCP 6443) cause denial of service. This issue affects k3s: from v1.24.0 before v1.24.17+k3s1, from v1.25.0 before v1.25.13+k3s1, from v1.26.0 before v1.26.8+k3s1, from sev1.27.0 before v1.27.5+k3s1, from v1.28.0 before v1.28.1+k3s1.

References

►

URL

Tags

meissner@suse.de	https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32187https://	Broken Link
meissner@suse.de	https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2	Mitigation, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32187https://	Broken Link
af854a3a-2127-422b-91ae-364da2661108	https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2	Mitigation, Vendor Advisory

Impacted products

	Vendor	Product	Version
	SUSE	k3s	Version: v1.24.0 ≤ Version: v1.25.0 ≤ Version: v1.26.0 ≤ Version: sev1.27.0 ≤ Version: v1.28.0 ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T15:10:23.925Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32187https://"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:k3s:k3s:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "k3s",
            "vendor": "k3s",
            "versions": [
              {
                "lessThan": "1.24.17+k3s1",
                "status": "affected",
                "version": "1.24.0",
                "versionType": "custom"
              },
              {
                "lessThan": "1.25.13+k3s1",
                "status": "affected",
                "version": "1.25.0",
                "versionType": "custom"
              },
              {
                "lessThan": "1.26.8+k3s1",
                "status": "affected",
                "version": "1.26.0",
                "versionType": "custom"
              },
              {
                "lessThan": "1.28.1+k3s1",
                "status": "affected",
                "version": "1.28.0",
                "versionType": "custom"
              },
              {
                "lessThan": "1.27.5+k3s1",
                "status": "affected",
                "version": "1.27.0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-32187",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-25T20:03:35.337423Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-25T20:48:50.658Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "packageName": "k3s",
          "product": "k3s",
          "vendor": "SUSE",
          "versions": [
            {
              "lessThan": "v1.24.17+k3s1",
              "status": "affected",
              "version": "v1.24.0",
              "versionType": "semver"
            },
            {
              "lessThan": "v1.25.13+k3s1",
              "status": "affected",
              "version": "v1.25.0",
              "versionType": "semver"
            },
            {
              "lessThan": "v1.26.8+k3s1",
              "status": "affected",
              "version": "v1.26.0",
              "versionType": "semver"
            },
            {
              "lessThan": "v1.27.5+k3s1",
              "status": "affected",
              "version": "sev1.27.0",
              "versionType": "semver"
            },
            {
              "lessThan": "v1.28.1+k3s1",
              "status": "affected",
              "version": "v1.28.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "An Allocation of Resources Without Limits or Throttling vulnerability in SUSE k3s allows attackers with access to \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eK3s servers\u0027 apiserver/supervisor port (TCP 6443) cause denial of service.\u003c/span\u003e\u003cbr\u003e\u003cp\u003eThis issue affects k3s: from v1.24.0 before v1.24.17+k3s1, from v1.25.0 before v1.25.13+k3s1, from v1.26.0 before v1.26.8+k3s1, from sev1.27.0 before v1.27.5+k3s1, from v1.28.0 before v1.28.1+k3s1.\u003c/p\u003e"
            }
          ],
          "value": "An Allocation of Resources Without Limits or Throttling vulnerability in SUSE k3s allows attackers with access to K3s servers\u0027 apiserver/supervisor port (TCP 6443) cause denial of service.\nThis issue affects k3s: from v1.24.0 before v1.24.17+k3s1, from v1.25.0 before v1.25.13+k3s1, from v1.26.0 before v1.26.8+k3s1, from sev1.27.0 before v1.27.5+k3s1, from v1.28.0 before v1.28.1+k3s1.\n\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-09-18T12:04:27.767Z",
        "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
        "shortName": "suse"
      },
      "references": [
        {
          "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32187https://"
        },
        {
          "url": "https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
    "assignerShortName": "suse",
    "cveId": "CVE-2023-32187",
    "datePublished": "2023-09-18T12:04:27.767Z",
    "dateReserved": "2023-05-04T08:30:59.321Z",
    "dateUpdated": "2024-09-25T20:48:50.658Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-32187\",\"sourceIdentifier\":\"meissner@suse.de\",\"published\":\"2023-09-18T13:15:08.190\",\"lastModified\":\"2024-11-21T08:02:52.210\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An Allocation of Resources Without Limits or Throttling vulnerability in SUSE k3s allows attackers with access to K3s servers\u0027 apiserver/supervisor port (TCP 6443) cause denial of service.\\nThis issue affects k3s: from v1.24.0 before v1.24.17+k3s1, from v1.25.0 before v1.25.13+k3s1, from v1.26.0 before v1.26.8+k3s1, from sev1.27.0 before v1.27.5+k3s1, from v1.28.0 before v1.28.1+k3s1.\\n\\n\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad de asignaci\u00f3n de recursos sin l\u00edmites o limitaci\u00f3n en SUSE k3s permite a atacantes con acceso al puerto apiserver/supervisor de los servidores K3s (TCP 6443) provocar denegaci\u00f3n de servicio. Este problema afecta a k3s: desde v1.24.0 antes de v1.24.17+k3s1, desde v1.25.0 antes de v1.25.13+k3s1, desde v1.26.0 antes de v1.26.8+k3s1, desde sev1.27.0 antes de v1.27.5+k3s1, desde v1.28.0 antes de v1.28.1+k3s1\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"meissner@suse.de\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"meissner@suse.de\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:k3s:k3s:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.24.0\",\"versionEndExcluding\":\"1.24.17\\\\+k3s1\",\"matchCriteriaId\":\"5FEC7C6F-1B51-4F4D-B676-BBB6BE589A8C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:k3s:k3s:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.25.0\",\"versionEndExcluding\":\"1.25.13\\\\+k3s1\",\"matchCriteriaId\":\"78847F7B-2FBC-431B-8EA2-40DCFC14659A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:k3s:k3s:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.26.0\",\"versionEndExcluding\":\"1.26.8\\\\+k3s1\",\"matchCriteriaId\":\"E5B928DB-5CC6-4E1E-9049-DED54245E47F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:k3s:k3s:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.27.0\",\"versionEndExcluding\":\"1.27.5\\\\+k3s1\",\"matchCriteriaId\":\"BD52035E-E6FB-444E-99C0-FC4FE63D6EB3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:k3s:k3s:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.28.0\",\"versionEndExcluding\":\"1.28.1\\\\+k3s1\",\"matchCriteriaId\":\"515B2A4C-17AB-4C4B-8231-18A6A49C25DD\"}]}]}],\"references\":[{\"url\":\"https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32187https://\",\"source\":\"meissner@suse.de\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2\",\"source\":\"meissner@suse.de\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32187https://\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32187https://\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T15:10:23.925Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-32187\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-25T20:03:35.337423Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:k3s:k3s:*:*:*:*:*:*:*:*\"], \"vendor\": \"k3s\", \"product\": \"k3s\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.24.0\", \"lessThan\": \"1.24.17+k3s1\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"1.25.0\", \"lessThan\": \"1.25.13+k3s1\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"1.26.0\", \"lessThan\": \"1.26.8+k3s1\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"1.28.0\", \"lessThan\": \"1.28.1+k3s1\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"1.27.0\", \"lessThan\": \"1.27.5+k3s1\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-25T20:48:41.286Z\"}}], \"cna\": {\"source\": {\"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"SUSE\", \"product\": \"k3s\", \"versions\": [{\"status\": \"affected\", \"version\": \"v1.24.0\", \"lessThan\": \"v1.24.17+k3s1\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"v1.25.0\", \"lessThan\": \"v1.25.13+k3s1\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"v1.26.0\", \"lessThan\": \"v1.26.8+k3s1\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"sev1.27.0\", \"lessThan\": \"v1.27.5+k3s1\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"v1.28.0\", \"lessThan\": \"v1.28.1+k3s1\", \"versionType\": \"semver\"}], \"packageName\": \"k3s\", \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32187https://\"}, {\"url\": \"https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"An Allocation of Resources Without Limits or Throttling vulnerability in SUSE k3s allows attackers with access to K3s servers\u0027 apiserver/supervisor port (TCP 6443) cause denial of service.\\nThis issue affects k3s: from v1.24.0 before v1.24.17+k3s1, from v1.25.0 before v1.25.13+k3s1, from v1.26.0 before v1.26.8+k3s1, from sev1.27.0 before v1.27.5+k3s1, from v1.28.0 before v1.28.1+k3s1.\\n\\n\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"An Allocation of Resources Without Limits or Throttling vulnerability in SUSE k3s allows attackers with access to \u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eK3s servers\u0027 apiserver/supervisor port (TCP 6443) cause denial of service.\u003c/span\u003e\u003cbr\u003e\u003cp\u003eThis issue affects k3s: from v1.24.0 before v1.24.17+k3s1, from v1.25.0 before v1.25.13+k3s1, from v1.26.0 before v1.26.8+k3s1, from sev1.27.0 before v1.27.5+k3s1, from v1.28.0 before v1.28.1+k3s1.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-770\", \"description\": \"CWE-770: Allocation of Resources Without Limits or Throttling\"}]}], \"providerMetadata\": {\"orgId\": \"404e59f5-483d-4b8a-8e7a-e67604dd8afb\", \"shortName\": \"suse\", \"dateUpdated\": \"2023-09-18T12:04:27.767Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-32187\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-09-25T20:48:50.658Z\", \"dateReserved\": \"2023-05-04T08:30:59.321Z\", \"assignerOrgId\": \"404e59f5-483d-4b8a-8e7a-e67604dd8afb\", \"datePublished\": \"2023-09-18T12:04:27.767Z\", \"assignerShortName\": \"suse\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

wid-sec-w-2023-2303

Vulnerability from csaf_certbund

Published

2023-09-11 22:00

Modified

2023-09-11 22:00

Summary

Kubernetes: Schwachstelle ermöglicht Denial of Service

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Kubernetes ist ein Werkzeug zur Automatisierung der Bereitstellung, Skalierung und Verwaltung von containerisierten Anwendungen.

Angriff

Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Kubernetes ausnutzen, um einen Denial of Service Angriff durchzuführen.

Betroffene Betriebssysteme

- Linux

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Kubernetes ist ein Werkzeug zur Automatisierung der Bereitstellung, Skalierung und Verwaltung von containerisierten Anwendungen.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Kubernetes ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2023-2303 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-2303.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2023-2303 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-2303"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-m4hf-6vgr-75r2 vom 2023-09-11",
        "url": "https://github.com/advisories/GHSA-m4hf-6vgr-75r2"
      }
    ],
    "source_lang": "en-US",
    "title": "Kubernetes: Schwachstelle erm\u00f6glicht Denial of Service",
    "tracking": {
      "current_release_date": "2023-09-11T22:00:00.000+00:00",
      "generator": {
        "date": "2024-08-15T17:58:12.988+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.5"
        }
      },
      "id": "WID-SEC-W-2023-2303",
      "initial_release_date": "2023-09-11T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2023-09-11T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Open Source Kubernetes \u003c 1.24.17",
                "product": {
                  "name": "Open Source Kubernetes \u003c 1.24.17",
                  "product_id": "T029781",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:kubernetes:kubernetes:1.24.17"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Open Source Kubernetes \u003c 1.25.13",
                "product": {
                  "name": "Open Source Kubernetes \u003c 1.25.13",
                  "product_id": "T029782",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:kubernetes:kubernetes:1.25.13"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Open Source Kubernetes \u003c 1.26.8",
                "product": {
                  "name": "Open Source Kubernetes \u003c 1.26.8",
                  "product_id": "T029783",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:kubernetes:kubernetes:1.26.8"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Open Source Kubernetes \u003c 1.27.5",
                "product": {
                  "name": "Open Source Kubernetes \u003c 1.27.5",
                  "product_id": "T029784",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:kubernetes:kubernetes:1.27.5"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Open Source Kubernetes \u003c 1.28.1",
                "product": {
                  "name": "Open Source Kubernetes \u003c 1.28.1",
                  "product_id": "T029786",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:kubernetes:kubernetes:1.28.1"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Kubernetes"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-32187",
      "notes": [
        {
          "category": "description",
          "text": "Es besteht eine Schwachstelle in Kubernetes. Dieser Fehler besteht aufgrund einer fehlenden ordnungsgem\u00e4\u00dfen Validierung und Gr\u00f6\u00dfenbeschr\u00e4nkung der Subject Alternative Name (SAN)-Liste bei der TLS-Zertifikatsbehandlung von K3s. Durch das kontinuierliche Hinzuf\u00fcgen von Eintr\u00e4gen zur SAN-Liste w\u00e4hrend eines TLS-Handshakes, bis das Zertifikat \u00fcberm\u00e4\u00dfig gro\u00df wird, kann ein entfernter, anonymer Angreifer diese Schwachstelle ausnutzen, um einen Denial-of-Service-Zustand zu verursachen."
        }
      ],
      "release_date": "2023-09-11T22:00:00.000+00:00",
      "title": "CVE-2023-32187"
    }
  ]
}

gsd-2023-32187

Vulnerability from gsd

Modified

2023-12-13 01:20

Details

Aliases

CVE-2023-32187

Aliases

CVE-2023-32187

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-32187",
    "id": "GSD-2023-32187"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-32187"
      ],
      "details": "An Allocation of Resources Without Limits or Throttling vulnerability in SUSE k3s allows attackers with access to K3s servers\u0027 apiserver/supervisor port (TCP 6443) cause denial of service.\nThis issue affects k3s: from v1.24.0 before v1.24.17+k3s1, from v1.25.0 before v1.25.13+k3s1, from v1.26.0 before v1.26.8+k3s1, from sev1.27.0 before v1.27.5+k3s1, from v1.28.0 before v1.28.1+k3s1.\n\n",
      "id": "GSD-2023-32187",
      "modified": "2023-12-13T01:20:24.015568Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@suse.com",
        "ID": "CVE-2023-32187",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "k3s",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "v1.24.0",
                          "version_value": "v1.24.17+k3s1"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_name": "v1.25.0",
                          "version_value": "v1.25.13+k3s1"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_name": "v1.26.0",
                          "version_value": "v1.26.8+k3s1"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_name": "sev1.27.0",
                          "version_value": "v1.27.5+k3s1"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_name": "v1.28.0",
                          "version_value": "v1.28.1+k3s1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "SUSE"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "An Allocation of Resources Without Limits or Throttling vulnerability in SUSE k3s allows attackers with access to K3s servers\u0027 apiserver/supervisor port (TCP 6443) cause denial of service.\nThis issue affects k3s: from v1.24.0 before v1.24.17+k3s1, from v1.25.0 before v1.25.13+k3s1, from v1.26.0 before v1.26.8+k3s1, from sev1.27.0 before v1.27.5+k3s1, from v1.28.0 before v1.28.1+k3s1.\n\n"
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.1.0-dev"
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-770",
                "lang": "eng",
                "value": "CWE-770: Allocation of Resources Without Limits or Throttling"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32187https://",
            "refsource": "MISC",
            "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32187https://"
          },
          {
            "name": "https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2",
            "refsource": "MISC",
            "url": "https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2"
          }
        ]
      },
      "source": {
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:k3s:k3s:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.28.1\\+k3s1",
                "versionStartIncluding": "1.28.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:k3s:k3s:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.27.5\\+k3s1",
                "versionStartIncluding": "1.27.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:k3s:k3s:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.26.8\\+k3s1",
                "versionStartIncluding": "1.26.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:k3s:k3s:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.25.13\\+k3s1",
                "versionStartIncluding": "1.25.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:k3s:k3s:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.24.17\\+k3s1",
                "versionStartIncluding": "1.24.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@suse.com",
          "ID": "CVE-2023-32187"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "An Allocation of Resources Without Limits or Throttling vulnerability in SUSE k3s allows attackers with access to K3s servers\u0027 apiserver/supervisor port (TCP 6443) cause denial of service.\nThis issue affects k3s: from v1.24.0 before v1.24.17+k3s1, from v1.25.0 before v1.25.13+k3s1, from v1.26.0 before v1.26.8+k3s1, from sev1.27.0 before v1.27.5+k3s1, from v1.28.0 before v1.28.1+k3s1.\n\n"
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-770"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32187https://",
              "refsource": "MISC",
              "tags": [
                "Broken Link"
              ],
              "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32187https://"
            },
            {
              "name": "https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2",
              "refsource": "MISC",
              "tags": [
                "Mitigation",
                "Vendor Advisory"
              ],
              "url": "https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2023-09-21T15:21Z",
      "publishedDate": "2023-09-18T13:15Z"
    }
  }
}

fkie_cve-2023-32187

Vulnerability from fkie_nvd

Published

2023-09-18 13:15

Modified

2024-11-21 08:02

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

URL	Tags
meissner@suse.de	https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32187https://	Broken Link
meissner@suse.de	https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2	Mitigation, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32187https://	Broken Link
af854a3a-2127-422b-91ae-364da2661108	https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2	Mitigation, Vendor Advisory

Impacted products

Vendor	Product	Version
k3s	k3s	*
k3s	k3s	*
k3s	k3s	*
k3s	k3s	*
k3s	k3s	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:k3s:k3s:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5FEC7C6F-1B51-4F4D-B676-BBB6BE589A8C",
              "versionEndExcluding": "1.24.17\\+k3s1",
              "versionStartIncluding": "1.24.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:k3s:k3s:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "78847F7B-2FBC-431B-8EA2-40DCFC14659A",
              "versionEndExcluding": "1.25.13\\+k3s1",
              "versionStartIncluding": "1.25.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:k3s:k3s:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E5B928DB-5CC6-4E1E-9049-DED54245E47F",
              "versionEndExcluding": "1.26.8\\+k3s1",
              "versionStartIncluding": "1.26.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:k3s:k3s:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "BD52035E-E6FB-444E-99C0-FC4FE63D6EB3",
              "versionEndExcluding": "1.27.5\\+k3s1",
              "versionStartIncluding": "1.27.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:k3s:k3s:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "515B2A4C-17AB-4C4B-8231-18A6A49C25DD",
              "versionEndExcluding": "1.28.1\\+k3s1",
              "versionStartIncluding": "1.28.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An Allocation of Resources Without Limits or Throttling vulnerability in SUSE k3s allows attackers with access to K3s servers\u0027 apiserver/supervisor port (TCP 6443) cause denial of service.\nThis issue affects k3s: from v1.24.0 before v1.24.17+k3s1, from v1.25.0 before v1.25.13+k3s1, from v1.26.0 before v1.26.8+k3s1, from sev1.27.0 before v1.27.5+k3s1, from v1.28.0 before v1.28.1+k3s1.\n\n"
    },
    {
      "lang": "es",
      "value": "Una vulnerabilidad de asignaci\u00f3n de recursos sin l\u00edmites o limitaci\u00f3n en SUSE k3s permite a atacantes con acceso al puerto apiserver/supervisor de los servidores K3s (TCP 6443) provocar denegaci\u00f3n de servicio. Este problema afecta a k3s: desde v1.24.0 antes de v1.24.17+k3s1, desde v1.25.0 antes de v1.25.13+k3s1, desde v1.26.0 antes de v1.26.8+k3s1, desde sev1.27.0 antes de v1.27.5+k3s1, desde v1.28.0 antes de v1.28.1+k3s1"
    }
  ],
  "id": "CVE-2023-32187",
  "lastModified": "2024-11-21T08:02:52.210",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "meissner@suse.de",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-09-18T13:15:08.190",
  "references": [
    {
      "source": "meissner@suse.de",
      "tags": [
        "Broken Link"
      ],
      "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32187https://"
    },
    {
      "source": "meissner@suse.de",
      "tags": [
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Broken Link"
      ],
      "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32187https://"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2"
    }
  ],
  "sourceIdentifier": "meissner@suse.de",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-770"
        }
      ],
      "source": "meissner@suse.de",
      "type": "Primary"
    }
  ]
}

ghsa-m4hf-6vgr-75r2

Vulnerability from github

Published

2023-09-11 13:47

Modified

2023-09-20 21:09

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

K3s apiserver port is vulnerable to unauthenticated remote denial-of-service (DoS) attack via TLS SAN stuffing attack

Details

Impact

An issue was found in K3s where an attacker with network access to K3s servers' apiserver/supervisor port (TCP 6443) can force the TLS server to add entries to the certificate's Subject Alternative Name (SAN) list, through a stuffing attack, until the certificate grows so large that it exceeds the maximum size allowed by TLS client implementations. OpenSSL for example will raise an excessive message size error when this occurs. No authentication is necessary to perform this attack, only the ability to perform a TLS handshake against the apiserver/supervisor port (TCP 6443).

Affected servers will continue to operate, but clients (including both external administrative access with kubectl and server or agent nodes) will fail to establish new connections, thus leading to a denial of service (DoS) attack.

Remediation

Upgrade to a fixed release:

v1.28.1+k3s1
v1.27.5+k3s1
v1.26.8+k3s1
v1.25.13+k3s1
v1.24.17+k3s1

If you are using K3s 1.27 or earlier, you must also add the parameter tls-san-security: true to the K3s configuration to enable enhanced security for the supervisor's TLS SAN list. This option defaults to true starting with K3s 1.28.

Note that this flag changes the behavior of K3s servers. You should ensure that you configure node-external-ip on servers that will be connected to via an external IP, and add tls-san entries for any load-balancers or VIP addresses that will be associated with the supervisor port. External IPs and load-balancer/VIP addresses will no longer be added to the supervisor certificate's SAN list unless explicitly configured.

Mitigation

If you cannot upgrade to a fixed release, the certificate can be "frozen" by running the following command against the cluster:

shell kubectl annotate secret -n kube-system k3s-serving listener.cattle.io/static=true

⚠️ IMPORTANT CAUTION: Note that this mitigation will prevent the certificate from adding new SAN entries when servers join the cluster, and automatically renewing itself when it is about to expire. If you do this, you should delete the annotation when adding new servers to the cluster, or when the certificate is within 90 days of expiring, so that it can be updated. Once that is done, you can freeze it again.

Affected certificates can be reset by performing the following steps: 1. Run kubectl --server https://localhost:6444 delete secret -n kube-system k3s-serving 2. Delete /var/lib/rancher/k3s/server/tls/dynamic-cert.json from all servers, and restart the k3s service.

Background

The K3s apiserver/supervisor listener on port TCP 6443 and uses the rancher/dynamiclistener library to dynamically generate TLS certificates that contain TLS Subject Alternative Names (SAN) for any host name or IP address requested by a client. This is done to allow servers and external load-balancers to be added to the cluster without the administrator having to explicitly know and configure in advance a fixed list of endpoints that the supervisor may be hosted at.

The library allows the embedding application to configure a callback that is used to filter addresses requested by clients; but this was not previously implemented in K3s.

For more information

If you have any questions or comments about this advisory:

Reach out to the K3s Security team for security related inquiries.
Open an issue in the K3s repository.
Verify with our support matrix and product support lifecycle.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/k3s-io/k3s"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.24.17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/k3s-io/k3s"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.25.0"
            },
            {
              "fixed": "1.25.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/k3s-io/k3s"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.26.0"
            },
            {
              "fixed": "1.26.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/k3s-io/k3s"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.27.0"
            },
            {
              "fixed": "1.27.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/k3s-io/k3s"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.28.0"
            },
            {
              "fixed": "1.28.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-32187"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-09-11T13:47:08Z",
    "nvd_published_at": "2023-09-18T13:15:08Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nAn issue was found in K3s where an attacker with network access to K3s servers\u0027 apiserver/supervisor port (TCP 6443) can force the TLS server to add entries to the certificate\u0027s Subject Alternative Name (SAN) list, through a stuffing attack, until the certificate grows so large that it exceeds the maximum size allowed by TLS client implementations. OpenSSL for example will raise an `excessive message size` error when this occurs. No authentication is necessary to perform this attack, only the ability to perform a TLS handshake against the apiserver/supervisor port (TCP 6443).\n\nAffected servers will continue to operate, but clients (including both external administrative access with `kubectl` and server or agent nodes) will fail to establish new connections, thus leading to a denial of service (DoS) attack.\n\n### Remediation\n\nUpgrade to a fixed release:\n\n- v1.28.1+k3s1\n- v1.27.5+k3s1\n- v1.26.8+k3s1\n- v1.25.13+k3s1\n- v1.24.17+k3s1\n\nIf you are using K3s 1.27 or earlier, you must also add  the parameter `tls-san-security: true` to the K3s configuration to enable enhanced security for the supervisor\u0027s TLS SAN list. This option defaults to `true` starting with K3s 1.28.\n\nNote that this flag changes the behavior of K3s servers. You should ensure that you configure `node-external-ip` on servers that will be connected to via an external IP, and add `tls-san` entries for any load-balancers or VIP addresses that will be associated with the supervisor port. External IPs and load-balancer/VIP addresses will no longer be added to the supervisor certificate\u0027s SAN list unless explicitly configured.\n\n### Mitigation\n\nIf you cannot upgrade to a fixed release, the certificate can be \"frozen\" by running the following command against the cluster:\n\n```shell\nkubectl annotate secret -n kube-system k3s-serving listener.cattle.io/static=true\n```\n\n**\u26a0\ufe0f IMPORTANT CAUTION:** Note that this mitigation will prevent the certificate from adding new SAN entries when servers join the cluster, and automatically renewing itself when it is about to expire. If you do this, you should delete the annotation when adding new servers to the cluster, or when the certificate is within 90 days of expiring, so that it can be updated. Once that is done, you can freeze it again.\n\nAffected certificates can be reset by performing the following steps:\n1. Run `kubectl --server https://localhost:6444 delete secret -n kube-system k3s-serving`\n2. Delete `/var/lib/rancher/k3s/server/tls/dynamic-cert.json` from all servers, and restart the `k3s` service.\n\n### Background\n\nThe K3s apiserver/supervisor listener on port TCP 6443 and uses the `rancher/dynamiclistener` library to dynamically generate TLS certificates that contain TLS Subject Alternative Names (SAN) for any host name or IP address requested by a client. This is done to allow servers and external load-balancers to be added to the cluster without the administrator having to explicitly know and configure in advance a fixed list of endpoints that the supervisor may be hosted at.\n\nThe library allows the embedding application to configure a callback that is used to filter addresses requested by clients; but this was not previously implemented in K3s.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n- Reach out to the [K3s Security team](https://github.com/k3s-io/k3s/security/policy) for security related inquiries.\n- Open an issue in the [K3s](https://github.com/k3s-io/k3s/issues/new/choose) repository.\n- Verify with our [support matrix](https://www.suse.com/suse-k3s/support-matrix/all-supported-versions) and [product support lifecycle](https://www.suse.com/lifecycle/#k3s).",
  "id": "GHSA-m4hf-6vgr-75r2",
  "modified": "2023-09-20T21:09:28Z",
  "published": "2023-09-11T13:47:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32187"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32187https:/"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/k3s-io/k3s"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "K3s apiserver port is vulnerable to unauthenticated remote denial-of-service (DoS) attack via TLS SAN stuffing attack"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2023-32187 (GCVE-0-2023-32187)

Vulnerability from cvelistv5

wid-sec-w-2023-2303

Vulnerability from csaf_certbund

gsd-2023-32187

Vulnerability from gsd

fkie_cve-2023-32187

Vulnerability from fkie_nvd

ghsa-m4hf-6vgr-75r2

Vulnerability from github

Impact

Remediation

Mitigation

Background

For more information

Tags

Sightings

Nomenclature