Notice on CRI-O Container Runtime Engine Arbitrary Code Execution Vulnerability (CVE-2022-0811)
The CrowdStrike security team disclosed a security vulnerability (tracked as CVE-2022-0811) in CRI-O v1.19. An attacker can exploit this vulnerability to escape to the host.
Vulnerability Details
Vulnerability Type |
CVE-ID |
Discovered |
|---|---|---|
Container escape |
CVE-2022-0811 |
2021-03-16 |
Threat Severity
Critical
Root Cause
A vulnerability is introduced in CRI-O v1.19. An attacker can exploit this vulnerability to bypass protection measures and set arbitrary kernel parameters on the host. As a result, any user with permissions to deploy a pod on a Kubernetes cluster that uses CRI-O runtime can abuse the kernel.core_pattern kernel parameter to achieve container escape and arbitrary code execution as root on any node in the cluster.
Impact Scope
1. Kubernetes clusters that use CRI-O v1.19 or later, including patch versions 1.19.6, 1.20.7, 1.21.6, 1.22.3, 1.23.2, and 1.24.0.
CCE clusters are not affected by this vulnerability because they do not use CRI-O.
Workarounds and Mitigation Measures
- For CRI-O v1.19 and v1.20, set manage_ns_lifecycle to false, and use Open Container Initiative (OCI) runtimes to configure sysctls.
- Create a PodSecurityPolicy and set all sysctls to false.
- Upgrade the CRI-O runtime to the latest version.
References
1. Red Hat community vulnerability notice: https://access.redhat.com/security/cve/cve-2022-0811
2. cr8escape: New Vulnerability in CRI-O Container Engine Discovered by CrowdStrike: https://www.crowdstrike.com/blog/cr8escape-new-vulnerability-discovered-in-cri-o-container-engine-cve-2022-0811/
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
