KubeEdge DoS when signing the CSR from EdgeCore

KubeEdge is an open source system for extending native containerized application orchestration capabilities to hosts at Edge. Prior to versions 1.11.1, 1.10.2, and 1.9.4, EdgeCore may be susceptible to a DoS attack on CloudHub if an attacker was to send a well-crafted HTTP request to `/edge.crt`. If an attacker can send a well-crafted HTTP request to CloudHub, and that request has a very large body, that request can crash the HTTP service through a memory exhaustion vector. The request body is being read into memory, and a body that is larger than the available memory can lead to a successful attack. Because the request would have to make it through authorization, only authorized users may perform this attack. The consequence of the exhaustion is that CloudHub will be in denial of service. KubeEdge is affected only when users enable the CloudHub module in the file `cloudcore.yaml`. This bug has been fixed in Kubeedge 1.11.1, 1.10.2, and 1.9.4. As a workaround, disable the CloudHub switch in the config file `cloudcore.yaml`.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

未加控制的资源消耗(资源穷尽)

KubeEdge 资源管理错误漏洞

KubeEdge是KubeEdge开源的一个 Kubernetes 原生边缘计算框架。基于 Kubernetes 构建，并将本机容器化应用编排和设备管理扩展到边缘主机。 KubeEdge 1.11.1之前版本、1.10.2之前版本 和 1.9.4之前版本存在资源管理错误漏洞，该漏洞源于如果攻击者可以向 CloudHub 发送精心设计的 HTTP 请求，并且该请求具有非常大的主体，则该请求可能通过内存耗尽向量使 HTTP 服务崩溃，攻击者利用该漏洞可以发送大消息来耗尽内存并导致 DoS。

N/A

N/A