8000 x/vulndb: potential Go vuln in github.com/cri-o/cri-o: GHSA-w2j5-3rcx-vx7x · Issue #363 · golang/vulndb · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
x/vulndb: potential Go vuln in github.com/cri-o/cri-o: GHSA-w2j5-3rcx-vx7x #363
New issue
New issue
Closed
Closed
x/vulndb: potential Go vuln in github.com/cri-o/cri-o: GHSA-w2j5-3rcx-vx7x#363
Assignees
neild
Labels
excluded: NOT_IMPORTABLEThis vulnerability only exists in a binary and is not importable.
@GoVulnBot

Description

@GoVulnBot
GoVulnBot
opened on Mar 24, 2022

In GitHub Security Advisory GHSA-w2j5-3rcx-vx7x, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/cri-o/cri-o 1.19.5 >= 1.18.0, < 1.19.5

See doc/triage.md for instructions on how to triage this report.

package: github.com/cri-o/cri-o
additional_packages:
  - package: github.com/cri-o/cri-o
    versions:
      - introduced: v1.20.0
        fixed: v1.20.6
  - package: github.com/cri-o/cri-o
    versions:
      - introduced: v1.21.0
        fixed: v1.21.5
  - package: github.com/cri-o/cri-o
    versions:
      - introduced: v1.22.0
        fixed: v1.22.2
  - package: github.com/cri-o/cri-o
    versions:
      - introduced: v1.23.0
        fixed: v1.23.1
versions:
  - introduced: v1.18.0
    fixed: v1.19.5
description: |-
    ### Impact
    Before setting the sysctls for a pod, the pods namespaces must be unshared (created). However, in cases where the pod is using a host network or IPC namespace, a bug in CRI-O caused the namespace creating tool [pinns](https://github.com/cri-o/cri-o/tree/main/pinns/) to configure the sysctls of the host. This allows a malicious user to set sysctls on the host, assuming they have access to hostNetwork and hostIPC.

    Any CRI-O cluster after CRI-O 1.18 that drops the infra container
    1.22 and 1.23 clusters drop infra container by default, and are thus vulnerable by default.

    ### Patches
    CRI-O versions 1.24.0, 1.23.1, 1.22.2, 1.21.5, 1.20.6, 1.19.5 all have the patches.

    ### Workarounds
    Users can set `manage_ns_lifecycle` to false, which causes the sysctls to be configured by the OCI runtime, which typically filter these cases. This option is available in 1.20 and 1.19. Newer versions don't have this option.
    An admission webhook could also be created to deny pods that use host IPC or network namespaces and also attempt to configure sysctls related to that namespace.

    ### For more information
    If you have any questions or comments about this advisory:
    * Open an issue in [the CRI-O repo](http://github.com/cri-o/cri-o/issues)
    * To make a report, email your vulnerability to the private
    [cncf-crio-security@lists.cncf.io](mailto:cncf-crio-security@lists.cncf.io) list
    with the security details and the details expected for [all CRI-O bug
    reports](https://github.com/cri-o/cri-o/blob/main/.github/ISSUE_TEMPLATE/bug-report.yml).
published: 2022-03-15T20:02:54Z
last_modified: 2022-03-18T13:40:52Z
ghsas:
  - GHSA-w2j5-3rcx-vx7x

Metadata

Metadata

Assignees

Labels

excluded: NOT_IMPORTABLEThis vulnerability only exists in a binary and is not importable.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions
    0