Help Center/ Cloud Container Engine/ Product Bulletin/ Vulnerability Notices/ Notice on CRI-O Container Runtime Engine Arbitrary Code Execution Vulnerability (CVE-2022-0811)
Updated on 2023-08-02 GMT+08:00

Notice on CRI-O Container Runtime Engine Arbitrary Code Execution Vulnerability (CVE-2022-0811)

Description

A security vulnerability in CRI-O 1.19 was found by the crowdstrike security team. Attackers can exploit this vulnerability to bypass protection and set arbitrary kernel parameters on the host. As a result, any user with permissions to deploy a pod on a Kubernetes cluster that uses CRI-O runtime can abuse the kernel.core_pattern kernel parameter to achieve container escape and arbitrary code execution as root on any node in the cluster.

This vulnerability has been assigned CVE-2022-0811.

Table 1 Vulnerability information

Type

CVE-ID

Severity

Discovered

Container escape

CVE-2022-0811

High

2021-03-16

Impact

This vulnerability affects Kubernetes clusters that use CRI-O of versions later than 1.19. The involved patch versions include 1.19.6, 1.20.7, 1.21.6, 1.22.3, 1.23.2, and 1.24.0.

CCE clusters are not affected by this vulnerability because they do not use CRI-O.

Solution

  1. For CRI-O v1.19 and v1.20, set manage_ns_lifecycle to false, and use Open Container Initiative (OCI) runtimes to configure sysctls.
  2. Create a PodSecurityPolicy and set all sysctls to false.
  3. Upgrade the CRI-O version in a timely manner.

Helpful Links

  1. Red Hat community vulnerability notice: https://access.redhat.com/security/cve/cve-2022-0811
  2. cr8escape: New Vulnerability in CRI-O Container Engine Discovered by CrowdStrike: https://www.crowdstrike.com/blog/cr8escape-new-vulnerability-discovered-in-cri-o-container-engine-cve-2022-0811/