Kyverno Unbounded Memory Consumption Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in Kyverno versions through 1.16.2 and 1.15.2. The issue arises from unbounded memory consumption in the policy engine, allowing users with policy creation privileges to craft policies that exponentially amplify string data through context variables. This amplification can lead to excessive memory usage, causing pods to be OOM killed and disrupting services that rely on Kyverno for policy enforcement or mutations.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by exhausting memory resources, leading to pod OOM kills. This disruption can cause a crash loop for the reports controller and disable policy enforcement cluster-wide, bypassing validation for workloads if 'failurePolicy: Ignore' is set.

Reproduction

The vulnerability can be reproduced by creating a policy that uses context variables to amplify string data exponentially. This can be done by applying a policy that generates random strings and then doubles that data through context variable chaining, effectively creating a memory exhaustion scenario. Once the policy is applied, it can be triggered by creating a resource that the policy matches, causing the admission controller to crash due to excessive memory usage.

Remediation

Users can limit the maximum context size during policy evaluation to prevent unbounded memory growth. This can be done by setting the 'maxContextSize' parameter in the Kyverno configuration.