계: Environment

이 섹션에는 소스 코드 외부에 있지만 제작 중인 제품의 보안에는 여전히 중요한 내용이 모두 포함되어 있습니다. 이 섹션에서 다루는 문제들은 소스 코드와 직접적으로 관련이 없기 때문에 나머지 섹션과 분리했습니다.

Kubernetes Misconfiguration: Uncontrolled Kubelet Resource Consumption

YAML

Abstract

구성이 무제한 리소스 사용을 허용합니다.

Explanation

청구 가능 컴퓨팅 리소스에는 CPU 사용량, 메모리, 영구 저장소, 네트워크 연결을 비롯한 여러 항목이 포함됩니다. 리소스 사용량 제한이 없으면 공격자가 사용 가능 리소스를 모두 소진하거나 과도한 요금을 발생시키는 서비스 거부 상황을 야기할 수 있습니다.

References

[1] Standards Mapping - CIS Kubernetes Benchmark Recommendation 4.2.13

[2] Standards Mapping - Common Weakness Enumeration CWE ID 770

[3] Standards Mapping - Common Weakness Enumeration Top 25 2024 [24] CWE ID 400

[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094

[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)

[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection

[7] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption, API8 Security Misconfiguration

[8] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service

[9] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[10] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[11] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[12] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.3 - Web Software Attack Mitigation

[23] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 404

[24] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II

[46] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)

[47] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service

desc.structural.iac.misconfiguration_uncontrolled_resource_consumption.base