Crossplane vulnerable to denial of service from large image

Vulnerability

Details

CVE-2023-37900 is a denial-of-service vulnerability in Crossplane, a framework for building cloud-native control planes. The issue affects versions prior to 1.11.5, 1.12.3, and 1.13.0. A high-privileged user can create a Package that references an arbitrarily large container image. When Crossplane parses this image, it can consume all available memory in the container, causing it to be terminated by the Out-Of-Memory (OOM) killer [1][4].

Attack

Vector and Prerequisites

Exploitation requires high privileges within the Crossplane environment; the attacker must have permissions to create or edit Packages. The attack is performed by crafting a Package that points to an oversized image, which Crossplane's controller then attempts to parse. No additional authentication or network access beyond the existing control-plane permissions is needed [1][4]. The impact is further limited by the eventually consistent nature of the controller, which may delay or mitigate memory exhaustion under certain conditions [1].

Impact

A successful attack results in a denial of service: the Crossplane container is OOM-killed, disrupting the availability of the control plane. Since high privileges are required, the overall risk is considered low, but in environments where multiple high-privileged users exist, the vulnerability could be used to destabilise operations [1][4].

Mitigation

The vulnerability is patched in Crossplane versions 1.11.5, 1.12.3, and 1.13.0, which are all supported releases at the time of publication [1][4]. Users should upgrade to these or later versions. As a workaround, administrators can restrict Package creation privileges to trusted users and ensure only images from trusted sources are used, which aligns with recommended best practices [4].