A high-severity vulnerability has been discovered in multiple Rancher products that could allow an attacker to cause a Denial of Service (DoS). The flaw exists because certain API endpoints fail to limit the size of incoming data, enabling an attacker to overwhelm the system with excessively large requests, rendering the Rancher management interface unavailable for legitimate users. This can lead to significant disruption in managing and monitoring Kubernetes clusters.

The vulnerability lies in the lack of request body size enforcement on specific API endpoints within Rancher Manager, including some that do not require authentication. An attacker can exploit this by sending a specially crafted HTTP request with an extremely large body. The server attempts to process this oversized request, leading to excessive consumption of memory and CPU resources, which ultimately results in resource exhaustion and a Denial of Service (DoS) condition, making the Rancher API and UI inaccessible.

This vulnerability is rated as High severity with a CVSS score of 8.2. The primary business impact is a Denial of Service attack, which would make the Rancher management plane inaccessible. This prevents administrators from deploying, managing, or monitoring their Kubernetes clusters, potentially leading to significant operational disruption, downtime for critical applications managed by Rancher, and failure to meet service level agreements (SLAs). The fact that some vulnerable endpoints are unauthenticated significantly widens the attack surface, allowing any remote attacker to attempt exploitation.

Immediate Action: Apply vendor security updates immediately to all affected Rancher Manager instances. After patching, it is crucial to monitor for any further exploitation attempts and review historical access logs for signs of compromise or attack that may have occurred prior to remediation.

Proactive Monitoring:

• Log Analysis: Review reverse proxy, ingress, and Rancher application logs for HTTP requests with unusually large Content-Length headers or requests that resulted in resource exhaustion errors.
• Performance Monitoring: Monitor Rancher Manager servers and pods for sustained and abnormal spikes in CPU and memory utilization, which could indicate an ongoing resource exhaustion attack.
• Network Traffic Analysis: Look for patterns of large, sustained data flows to the Rancher API endpoints from unexpected or untrusted IP addresses.

Compensating Controls:

• Web Application Firewall (WAF)/API Gateway: If patching is not immediately possible, place a WAF or an API gateway in front of Rancher Manager. Configure a rule to enforce a reasonable request body size limit (e.g., 10MB) and block any requests that exceed this threshold.
• Rate Limiting: Implement rate limiting on the load balancer or ingress controller to mitigate the impact of an attacker sending numerous large requests in a short period.
• Access Control: Where possible, restrict network access to the Rancher Manager API to only trusted IP address ranges to limit exposure of the unauthenticated endpoints.

Public Exploit Available: false

This vulnerability poses a high risk to the availability of the Rancher management platform. Given the high CVSS score of 8.2 and the potential for significant operational disruption, immediate action is required. Organizations are strongly advised to prioritize the application of the vendor-supplied security updates to all affected Rancher instances. Although this vulnerability is not currently listed on the CISA KEV catalog, its severity warrants immediate attention. If patching cannot be performed immediately, implement compensating controls such as WAF rules to mitigate the risk of a Denial of Service attack.