Notice on the Container Escape Vulnerability Caused by the Linux Kernel (CVE-2022-0492)

Description

In some scenarios, the release_agent feature of the Linux kernel's cgroup v1 can be used to escape from the container to OS. This vulnerability has been assigned CVE-2022-0492.

Impact

The Linux kernel does not check whether the process is authorized to configure the release_agent file. On an affected node, workload processes are executed as user root (or the user with the CAP_SYS_ADMIN permission), and seccomp is not configured.

CCE clusters are affected by this vulnerability in the following aspects:

1. For x86 nodes, EulerOS 2.5 and CentOS images are not affected by this vulnerability.
2. EulerOS (Arm) whose kernel version is earlier than 4.19.36-vhulk1907.1.0.h962.eulerosv2r8.aarch64 is affected by this vulnerability.
3. EulerOS (x86) whose kernel version is earlier than 4.18.0-147.5.1.6.h541.eulerosv2r9.x86_64 is affected by this vulnerability.
4. Ubuntu nodes whose kernel version is 4.15.0-136-generic or earlier is affected by this vulnerability.

Solution

1. A fix version has been provided for EulerOS 2.9 images. Migrate to the 4.18.0-147.5.1.6.h541.eulerosv2r9.x86_64 nodes as soon as possible.
2. Configure seccomp for workloads to restrict unshare system calls. For details, see Kubernetes documentation.
3. Restrict the process permissions in a container and minimize the process permissions in the container. For example, use a non-root user to start processes and use the capability mechanism to refine the process permissions.

Helpful Links

1. Kernel repair commit: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=24f6008564183aa120d07c03d9289519c2fe02af
2. Red Hat community vulnerability notice: https://access.redhat.com/security/cve/cve-2022-0492