CVE-2024-0793: 
Red Hat Enterprise Linux CoreOS (RHCOS) vulnerability analysis and mitigation

A vulnerability (CVE-2024-0793) was discovered in kube-controller-manager that can cause a denial of service condition. The issue occurs when applying an initial HPA (Horizontal Pod Autoscaler) config YAML that lacks a .spec.behavior.scaleUp block, resulting in KCM (Kubernetes Controller Manager) pods entering a restart churn state. This vulnerability was reported by Mikel Duke from USAA and has been assigned a CVSS v3 base score of 7.7, indicating an Important severity level (Red Hat CVE).

The vulnerability is classified as CWE-20 (Improper Input Validation) and has a CVSS v3 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H. The attack vector is network-based with low attack complexity and requires low privileges. No user interaction is needed, and while the scope is changed, the vulnerability only impacts availability without affecting confidentiality or integrity (Red Hat CVE).

The primary impact of this vulnerability is on system availability. When exploited, it can cause DoS conditions including program crashes, excessive CPU consumption, and memory resource consumption. The vulnerability specifically affects the KCM pods, causing them to enter a continuous restart cycle when processing malformed HPA configurations (Red Hat CVE).

Currently, no official mitigation is available that meets Red Hat Product Security criteria for ease of use, deployment, and stability. Red Hat has released security updates to address this vulnerability in OpenShift Container Platform versions 4.12 and 4.13 through security advisories RHSA-2024:1267 and RHSA-2024:0741 (Red Hat CVE, Red Hat Advisory).