First published: Thu Nov 07 2019(Updated: )
A flaw was found in cri-o, as a result of all pod-related processes being placed in the same memory cgroup. This can result in container management (conmon) processes being killed if a workload process triggers an out-of-memory (OOM) condition for the cgroup. An attacker could abuse this flaw to get host network access on an cri-o host.
Credit: secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/cri-o | <0:1.11.16-0.10.dev.rhaos3.11.git1eee681.el7 | 0:1.11.16-0.10.dev.rhaos3.11.git1eee681.el7 |
redhat/cri-o | <0:1.14.12-15.dev.rhaos4.2.gita17905f.el8 | 0:1.14.12-15.dev.rhaos4.2.gita17905f.el8 |
Kubernetes CRI-O | <1.16.1 | |
Fedoraproject Fedora | ||
Redhat Openshift Container Platform | =3.11 | |
Redhat Openshift Container Platform | =4.1 | |
Redhat Openshift Container Platform | =4.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2019-14891.
The severity of CVE-2019-14891 is medium.
The flaw can result in container management (conmon) processes being killed if a workload process triggers an out-of-memory (OOM) condition.
An attacker could abuse this flaw to cause an out-of-memory (OOM) condition and disrupt container management processes.
Cri-o versions up to and including 1.16.1 are affected.