CVE-2019-11253 aka Billion Laughs Vulnerability Mitigations
Calico Enterprise API Server, and Calicoctl, if accessed by an authenticated user with network-admin role, are vulnerable to denial of service attacks due to weaknesses in included version of goyaml, which is used by the affected components. This could negatively affect other workloads on the same host, or cause the components to be evicted or restarted due to the excess consumption of resources. A successful denial of service attack against Calico Enterprise API Server or Calicoctl could potentially cause denial of service for an entire cluster.
Note that even though CVE-2019-11253 has been patched/resolved by Kubernetes API Server and Kubectl, the vulnerable Calico Enterprise API Server is still reachable.
Calico (only Calicoctl)
- 3.10 and older
Calico Enterprise (previously known as Tigera Secure)
- 2.6.0 and older
Indicators of Impact/Compromise
Calico Enterprise components allocate a large amount of memory and/or crash unexpectedly
Workaround / Remediation
Review all YAML files to be processed by Calicoctl. If Calicoctl is run within a Kubernetes cluster as a pod, set usage limits to prevent the pod from consuming excessive resources. If Calicoctl is run as a binary on a host, terminate the process if it takes longer than 10 seconds.
The Calico Enterprise API Server requires the authenticated user to be of network-admin or above in order for the API Server to process the input YAML. You can mitigate this by:
- Ensuring only intended user has access the Calico Enterprise Management UI
- Review all existing ClusterRole/Role to ensure only intended user can access Tigera Secure EE API endpoints
The following patched versions of software will fix the underlying issue. We expect these to be available shortly.