CVE-2020-14316
First published: Fri Jun 19 2020(Updated: )
A flaw was found in kubevirt 0.29 and earlier. Virtual Machine Instances (VMIs) can be used to gain access to the host's filesystem. Successful exploitation allows an attacker to assume the privileges of the VM process on the host system. In worst-case scenarios an attacker can read and modify any file on the system where the VMI is running. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/kubevirt | <0.30 | 0.30 |
| go/kubevirt.io/kubevirt | <0.30.0 | 0.30.0 |
| Kubevirt Kubevirt Kubernetes | <=0.29 | |
| Redhat Openshift Virtualization | =1 |
Remedy
This flaw can be partially or completely mitigated by leveraging existing mechanisms to restrict the VMI process such as running as non-root and using SELinux and sVirt whenever possible.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2020-14316 https://nvd.nist.gov/vuln/detail/CVE-2020-14316
- https://bugzilla.redhat.com/show_bug.cgi?id=1848951
- https://access.redhat.com/errata/RHSA-2020:3194
- https://access.redhat.com/security/cve/cve-2020-14316
- https://github.com/kubevirt/kubevirt/pull/3686
- https://nvd.nist.gov/vuln/detail/CVE-2020-14316
- https://github.com/advisories/GHSA-828r-r2c8-rfw3 (Advisory)
Frequently Asked Questions
What is the vulnerability ID for this flaw?
The vulnerability ID for this flaw is CVE-2020-14316.
What is the severity of CVE-2020-14316?
CVE-2020-14316 has a severity rating of critical.
What software versions are affected by CVE-2020-14316?
Versions of kubevirt up to 0.30 are affected by CVE-2020-14316.
How can an attacker exploit CVE-2020-14316?
An attacker can use Virtual Machine Instances (VMIs) to gain access to the host's filesystem and assume the privileges of the VM process on the host system.
Are there any fixes available for CVE-2020-14316?
Yes, a fix is available in kubevirt version 0.30.
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- agent/remedy
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-14316
- agent/software-canonical-lookup
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-828r-r2c8-rfw3
- agent/severity
- agent/last-modified-date
- agent/references
- agent/weakness
- agent/event
- agent/author
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-cve
- source/NVD
- agent/softwarecombine
- collector/github-advisory
- agent/tags
- collector/mitre-cve
- source/MITRE
- package-manager/redhat
- package-manager/go
- vendor/kubevirt
- canonical/kubevirt kubevirt kubernetes
- version/kubevirt kubevirt kubernetes/0.29
- vendor/redhat
- canonical/redhat openshift virtualization
- version/redhat openshift virtualization/1