GHSA-p4rx-7wvg-fwrc

Suggest an improvement
Source
https://github.com/advisories/GHSA-p4rx-7wvg-fwrc
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-p4rx-7wvg-fwrc/GHSA-p4rx-7wvg-fwrc.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-p4rx-7wvg-fwrc
Aliases
Published
2024-01-10T15:27:45Z
Modified
2024-06-28T15:59:54.674723Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
CRI-O's pods can break out of resource confinement on cgroupv2
Details

Impact

What kind of vulnerability is it? Who is impacted? All versions of CRI-O running on cgroupv2 nodes. Unchecked access to an experimental annotation allows a container to be unconfined. Back in 2021, support was added to support an experimental annotation that allows a user to request special resources in cgroupv2. It was supposed to be gated by an experimental annotation: io.kubernetes.cri-o.UnifiedCgroup, which was supposed to be filtered from the list of allowed annotations . However, there is a bug in this code which allows any user to specify this annotation, regardless of whether it's enabled on the node. The consequences of this are a pod can specify any amount of memory/cpu and get it, circumventing the kubernetes scheduler, and potentially be able to DOS a node.

Patches

Has the problem been patched? What versions should users upgrade to? 1.29.1, 1.28.3, 1.27.3

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading? use cgroupv1

References

Are there any links users can visit to find out more?

References

Affected packages

Go / github.com/cri-o/cri-o

Package

Name
github.com/cri-o/cri-o
View open source insights on deps.dev
Purl
pkg:golang/github.com/cri-o/cri-o

Affected ranges

Type
SEMVER
Events
Introduced
1.29.0
Fixed
1.29.1

Affected versions

1.*

1.29.0

Go / github.com/cri-o/cri-o

Package

Name
github.com/cri-o/cri-o
View open source insights on deps.dev
Purl
pkg:golang/github.com/cri-o/cri-o

Affected ranges

Type
SEMVER
Events
Introduced
1.28.0
Fixed
1.28.3

Go / github.com/cri-o/cri-o

Package

Name
github.com/cri-o/cri-o
View open source insights on deps.dev
Purl
pkg:golang/github.com/cri-o/cri-o

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.27.3