Security Bulletins

CVE-2019-11253 aka Billion Laughs Vulnerability Mitigations

Return to List

Description Severity Notes

CVE-2019-11253 aka Billion Laughs Vulnerability Mitigations

Reference: TTA-2019-003
Date published: 2019-Dec-2



Calico Enterprise API Server, and Calicoctl, if accessed by an authenticated user with network-admin role, are vulnerable to denial of service attacks due to weaknesses in included version of goyaml, which is used by the affected components. This could negatively affect other workloads on the same host, or cause the components to be evicted or restarted due to the excess consumption of resources. A successful denial of service attack against Calico Enterprise API Server or Calicoctl could potentially cause denial of service for an entire cluster.

Note that even though CVE-2019-11253 has been patched/resolved by Kubernetes API Server and Kubectl, the vulnerable Calico Enterprise API Server is still reachable.



Affected Releases

Calico (only Calicoctl)

  • 3.10 and older

Calico Enterprise (previously known as Tigera Secure)

  • 2.6.0 and older

Indicators of Impact/Compromise

Calico Enterprise components allocate a large amount of memory and/or crash unexpectedly

Workaround / Remediation


Review all YAML files to be processed by Calicoctl. If Calicoctl is run within a Kubernetes cluster as a pod, set usage limits to prevent the pod from consuming excessive resources. If Calicoctl is run as a binary on a host, terminate the process if it takes longer than 10 seconds.

API Server

The Calico Enterprise API Server requires the authenticated user to be of network-admin or above in order for the API Server to process the input YAML. You can mitigate this by:

  • Ensuring only intended user has access the Calico Enterprise Management UI
  • Review all existing ClusterRole/Role to ensure only intended user can access Tigera Secure EE API endpoints

Fixed Software

The following patched versions of software will fix the underlying issue. We expect these to be available shortly.


  • 3.11

Calico Enterprise

  • 2.6.1

Return to List