CRI-O code execution | CVE-2022-0811
NAME
CRI-O code execution
- Platforms Affected:
CRI-O CRI-O 1.19.0
CRI-O CRI-O 1.19.5
CRI-O CRI-O 1.20.6
CRI-O CRI-O 1.21.5
CRI-O CRI-O 1.22.2
CRI-O CRI-O 1.23.1 - Risk Level:
8.8 - Exploitability:
Unproven - Consequences:
Gain Access
DESCRIPTION
CRI-O could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a container escape flaw related to kernel options setting for a pod. By deploying a specially-crafted pod, an attacker could exploit this vulnerability to execute arbitrary code execution as root on the cluster node.
CVSS 3.0 Information
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Access Vector: Network
- Access Complexity: Low
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
- Remediation Level: Official Fix
MITIGATION
Upgrade to the latest version of CRI-O (1.19.6, 1.20.7, 1.21.6, 1.22.3, 1.23.2, 1.24.0 or later), available from the CRI-O GIT Repository. See References.
- Reference Link:
https://bugzilla.redhat.com/show_bug.cgi?id=2059475 - Reference Link:
https://github.com/cri-o/cri-o/security/advisories/GHSA-6x2m-w449-qwx7
If you like the site, please consider joining the telegram channel and supporting us on Patreon using the button below.
