A program with this vulnerability may crash because of processing some messages that contain malicious
Protobuf. If the version of
Gogo Protobuf you are using is too low, this vulnerability may exist.
Kubernetes system component has its own recovery mechanism to deal with crashes and will not interrupt service when encountering a maliciously submitted
Protobuf message, so it is not within the scope affected by the vulnerability.
When the program receives and processes the
Protobuf message in the application system, if the component does not have a recovery mechanism to deal with the crash, then such programs are within the scope of the vulnerability, and the service may be interrupted when such a malicious attack comes.
Kubernetes community has tested and verified that
API Server is not affected by this vulnerability, but in order to prevent you from being affected by the hidden risk of this security vulnerability, the community has upgraded the relevant
If you use the automatically generated
Protobuf message in your application code and find that the relevant component exits due to the following exception, the vulnerability may exist.
panic: runtime error: index out of range [-9223372036854775804] goroutine 1 [running]: v1.(*MessageName).Unmarshal(0xc00006f1e8, 0xc0000281a8, 0xa, 0x10, 0xc00006f1b8, 0x1) .../protofile.pb.go:250 +0xb86
If you use a component related to the
Protobuf message, it is recommended to upgrade the
Gogo Protobuf compiler to the bug-fixed version (v1.3.2 or higher), and then regenerate the relevant
Protobuf message based on the upgraded
Fixed by official
Fixed by KLTS
- v1.17.17-lts.1 kubernetes/kubernetes#101327
- v1.16.15-lts.1 kubernetes/kubernetes#101327
- v1.15.12-lts.1 kubernetes/kubernetes#101327
- v1.14.10-lts.1 kubernetes/kubernetes#101327
- v1.13.12-lts.1 kubernetes/kubernetes#101327
- v1.12.10-lts.1 kubernetes/kubernetes#101327
- v1.11.10-lts.1 kubernetes/kubernetes#101327
- v1.10.13-lts.1 kubernetes/kubernetes#101327
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.