Notice on CRI-O Container Runtime Engine Arbitrary Code Execution Vulnerability (CVE-2022-0811)
Description
A security vulnerability in CRI-O 1.19 was found by the crowdstrike security team. Attackers can exploit this vulnerability to bypass protection and set arbitrary kernel parameters on the host. As a result, any user with permissions to deploy a pod on a Kubernetes cluster that uses CRI-O runtime can abuse the kernel.core_pattern kernel parameter to achieve container escape and arbitrary code execution as root on any node in the cluster.
This vulnerability has been assigned CVE-2022-0811.
Type |
CVE-ID |
Severity |
Discovered |
---|---|---|---|
Container escape |
CVE-2022-0811 |
High |
2021-03-16 |
Impact
This vulnerability affects Kubernetes clusters that use CRI-O of versions later than 1.19. The involved patch versions include 1.19.6, 1.20.7, 1.21.6, 1.22.3, 1.23.2, and 1.24.0.
CCE clusters are not affected by this vulnerability because they do not use CRI-O.
Solution
- For CRI-O v1.19 and v1.20, set manage_ns_lifecycle to false, and use Open Container Initiative (OCI) runtimes to configure sysctls.
- Create a PodSecurityPolicy and set all sysctls to false.
- Upgrade the CRI-O version in a timely manner.
Helpful Links
- Red Hat community vulnerability notice: https://access.redhat.com/security/cve/cve-2022-0811
- cr8escape: New Vulnerability in CRI-O Container Engine Discovered by CrowdStrike: https://www.crowdstrike.com/blog/cr8escape-new-vulnerability-discovered-in-cri-o-container-engine-cve-2022-0811/
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.