Help Center/ Cloud Container Engine/ Product Bulletin/ Vulnerability Notices/ Notice on the Container Escape Vulnerability Caused by the Linux Kernel (CVE-2022-0492)
Updated on 2023-08-02 GMT+08:00

Notice on the Container Escape Vulnerability Caused by the Linux Kernel (CVE-2022-0492)

Description

In some scenarios, the release_agent feature of the Linux kernel's cgroup v1 can be used to escape from the container to OS. This vulnerability has been assigned CVE-2022-0492.

Table 1 Vulnerability information

Type

CVE-ID

Severity

Discovered

Container escape

CVE-2022-0492

High

2021-02-07

Impact

The Linux kernel does not check whether the process is authorized to configure the release_agent file. On an affected node, workload processes are executed as user root (or the user with the CAP_SYS_ADMIN permission), and seccomp is not configured.

CCE clusters are affected by this vulnerability in the following aspects:

  1. For x86 nodes, EulerOS 2.5 and CentOS images are not affected by this vulnerability.
  2. EulerOS (Arm) whose kernel version is earlier than 4.19.36-vhulk1907.1.0.h962.eulerosv2r8.aarch64 is affected by this vulnerability.
  3. EulerOS (x86) whose kernel version is earlier than 4.18.0-147.5.1.6.h541.eulerosv2r9.x86_64 is affected by this vulnerability.
  4. Ubuntu nodes whose kernel version is 4.15.0-136-generic or earlier is affected by this vulnerability.

Solution

  1. A fix version has been provided for EulerOS 2.9 images. Migrate to the 4.18.0-147.5.1.6.h541.eulerosv2r9.x86_64 nodes as soon as possible.
  2. Configure seccomp for workloads to restrict unshare system calls. For details, see Kubernetes documentation.
  3. Restrict the process permissions in a container and minimize the process permissions in the container. For example, use a non-root user to start processes and use the capability mechanism to refine the process permissions.