CVE-2019-11254: 
NixOS vulnerability analysis and mitigation

CVE-2019-11254 is a denial of service vulnerability discovered in the Kubernetes API Server component. The vulnerability affects versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7, and 1.17.3. This vulnerability has been assigned a Medium severity rating with a CVSS v3.1 Base Score of 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) (Kubernetes Announce, NVD).

The vulnerability allows authorized users to send malicious YAML payloads that cause the kube-apiserver to consume excessive CPU cycles while parsing YAML. The issue was initially discovered through fuzz testing, specifically via kubernetes/kubernetes#83750 (Kubernetes Issue).

When successfully exploited, this vulnerability can lead to a Denial of Service (DoS) condition by causing the kube-apiserver to consume excessive CPU resources, potentially affecting the availability of the Kubernetes cluster (NetApp Advisory).

Prior to upgrading, the vulnerability can be mitigated by preventing unauthenticated or unauthorized access to kube-apiserver. The issue has been fixed in versions v1.15.10, v1.16.7, and v1.17.3. Users are recommended to upgrade to these patched versions (Kubernetes Issue).

The vulnerability was responsibly disclosed and handled through the Kubernetes security response process. Credit for discovery was given to Mark Wolters from Google for writing the fuzz tests and Mike Danese from Google for reporting the issue (Kubernetes Announce).