CVE-2023-6476: Cri-o: pods are able to break out of resource confinement on cgroupv2
First published: Mon Dec 11 2023(Updated: )
### Impact _What kind of vulnerability is it? Who is impacted?_ All versions of CRI-O running on cgroupv2 nodes. Unchecked access to an experimental annotation allows a container to be unconfined. Back in 2021, [support was added](https://github.com/cri-o/cri-o/pull/4479) to support an experimental annotation that allows a user to request special resources in cgroupv2. It was supposed to be gated by an experimental annotation: `io.kubernetes.cri-o.UnifiedCgroup`, which was supposed to be filtered from the [list of allowed annotations](https://github.com/cri-o/cri-o/blob/main/pkg/config/workloads.go#L103-L107) . However, there is a bug in this code which allows any user to specify this annotation, regardless of whether it's enabled on the node. The consequences of this are a pod can specify any amount of memory/cpu and get it, circumventing the kubernetes scheduler, and potentially be able to DOS a node. ### Patches _Has the problem been patched? What versions should users upgrade to?_ 1.29.1, 1.28.3, 1.27.3 ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ use cgroupv1 ### References _Are there any links users can visit to find out more?_
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| go/github.com/cri-o/cri-o | <1.27.3 | 1.27.3 |
| go/github.com/cri-o/cri-o | >=1.28.0<1.28.3 | 1.28.3 |
| go/github.com/cri-o/cri-o | =1.29.0 | 1.29.1 |
| Redhat Openshift Container Platform | =3.11 | |
| All of | ||
| Any of | ||
| Redhat Openshift Container Platform | =4.13 | |
| Redhat Openshift Container Platform | =4.14 | |
| Any of | ||
| Redhat Enterprise Linux | =8.0 | |
| Redhat Enterprise Linux | =9.0 | |
| redhat/cri-o | <1.29.1 | 1.29.1 |
| redhat/cri-o | <1.27.3 | 1.27.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/cri-o/cri-o/security/advisories/GHSA-p4rx-7wvg-fwrc
- https://nvd.nist.gov/vuln/detail/CVE-2023-6476
- https://github.com/cri-o/cri-o/pull/4479
- https://github.com/cri-o/cri-o/commit/75effcb1a25851a736e82dba1f7d8cee93ee159e
- https://access.redhat.com/security/cve/CVE-2023-6476
- https://bugzilla.redhat.com/show_bug.cgi?id=2253994
- https://github.com/cri-o/cri-o/blob/main/pkg/config/workloads.go#L103-L107
- https://access.redhat.com/errata/RHSA-2024:0195
- https://access.redhat.com/errata/RHSA-2024:0207
- https://github.com/advisories/GHSA-p4rx-7wvg-fwrc (Advisory)
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2257496
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2257495
- https://access.redhat.com/errata/RHSA-2023:7201
- agent/type
- agent/first-publish-date
- agent/title
- agent/severity
- agent/weakness
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-p4rx-7wvg-fwrc
- alias/CVE-2023-6476
- agent/software-canonical-lookup
- agent/description
- agent/author
- agent/softwarecombine
- agent/event
- collector/nvd-cve
- source/NVD
- collector/github-advisory
- collector/nvd-api
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/tags
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- package-manager/go
- vendor/redhat
- canonical/redhat openshift container platform
- version/redhat openshift container platform/3.11
- version/redhat openshift container platform/4.13
- version/redhat openshift container platform/4.14
- canonical/redhat enterprise linux
- version/redhat enterprise linux/8.0
- version/redhat enterprise linux/9.0
- package-manager/redhat