Notice on CRI-O Container Runtime Engine Arbitrary Code Execution Vulnerability (CVE-2022-0811)
Description
A security vulnerability in CRI-O 1.19 was found by the crowdstrike security team. Attackers can exploit this vulnerability to bypass protection and set arbitrary kernel parameters on the host. As a result, any user with permissions to deploy a pod on a Kubernetes cluster that uses CRI-O runtime can abuse the kernel.core_pattern kernel parameter to achieve container escape and arbitrary code execution as root on any node in the cluster.
This vulnerability has been assigned CVE-2022-0811.
|
Type |
CVE-ID |
Severity |
Discovered |
|---|---|---|---|
|
Container escape |
CVE-2022-0811 |
High |
2021-03-16 |
Impact
This vulnerability affects Kubernetes clusters that use CRI-O of versions later than 1.19. The involved patch versions include 1.19.6, 1.20.7, 1.21.6, 1.22.3, 1.23.2, and 1.24.0.
CCE clusters are not affected by this vulnerability because they do not use CRI-O.
Solution
- For CRI-O v1.19 and v1.20, set manage_ns_lifecycle to false, and use Open Container Initiative (OCI) runtimes to configure sysctls.
- Create a PodSecurityPolicy and set all sysctls to false.
- Upgrade the CRI-O version in a timely manner.
Helpful Links
- Red Hat community vulnerability notice: https://access.redhat.com/security/cve/cve-2022-0811
- cr8escape: New Vulnerability in CRI-O Container Engine Discovered by CrowdStrike: https://www.crowdstrike.com/blog/cr8escape-new-vulnerability-discovered-in-cri-o-container-engine-cve-2022-0811/
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
