Notice on the Container Escape Vulnerability Caused by the Linux Kernel (CVE-2022-0492)

Vulnerability Details

Threat Severity

Critical

Trigger Conditions

On an affected node, workloads use the root user to run a process (or has the CAP_SYS_ADMIN permission), and seccomp is not configured.

Root Cause

The Linux kernel does not check whether the process that sets the release_agent file has the proper permission.

Impact Scope

1. For x86 nodes, EulerOS 2.5 and CentOS images are not affected by this vulnerability.

2. EulerOS (Arm) whose kernel version is earlier than 4.19.36-vhulk1907.1.0.h962.eulerosv2r8.aarch64 is affected by this vulnerability.

3. EulerOS (x86) whose kernel version is earlier than 4.18.0-147.5.1.6.h541.eulerosv2r9.x86_64 is affected by this vulnerability.

4. Ubuntu nodes whose kernel version is 4.15.0-136-generic or earlier is affected by this vulnerability.

Workarounds and Mitigation Measures

1. A fix version has been provided for EulerOS 2.9 images. Migrate to the 4.18.0-147.5.1.6.h541.eulerosv2r9.x86_64 nodes as soon as possible.
2. Configure seccomp for workloads to restrict unshare system calls. For details, see the Kubernetes documentation.
3. Restrict the process permissions in a container and minimize the process permissions in the container. For example, use a non-root user to start processes and use the capability mechanism to refine the process permissions.

References

1. Kernel repair commit: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=24f6008564183aa120d07c03d9289519c2fe02af

2. Red Hat community vulnerability notice: https://access.redhat.com/security/cve/cve-2022-0492