First published: Mon Dec 11 2023(Updated: )
### Impact _What kind of vulnerability is it? Who is impacted?_ All versions of CRI-O running on cgroupv2 nodes. Unchecked access to an experimental annotation allows a container to be unconfined. Back in 2021, [support was added](https://github.com/cri-o/cri-o/pull/4479) to support an experimental annotation that allows a user to request special resources in cgroupv2. It was supposed to be gated by an experimental annotation: `io.kubernetes.cri-o.UnifiedCgroup`, which was supposed to be filtered from the [list of allowed annotations](https://github.com/cri-o/cri-o/blob/main/pkg/config/workloads.go#L103-L107) . However, there is a bug in this code which allows any user to specify this annotation, regardless of whether it's enabled on the node. The consequences of this are a pod can specify any amount of memory/cpu and get it, circumventing the kubernetes scheduler, and potentially be able to DOS a node. ### Patches _Has the problem been patched? What versions should users upgrade to?_ 1.29.1, 1.28.3, 1.27.3 ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ use cgroupv1 ### References _Are there any links users can visit to find out more?_
Credit: secalert@redhat.com secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
go/github.com/cri-o/cri-o | <1.27.3 | 1.27.3 |
go/github.com/cri-o/cri-o | >=1.28.0<1.28.3 | 1.28.3 |
go/github.com/cri-o/cri-o | =1.29.0 | 1.29.1 |
Redhat Openshift Container Platform | =3.11 | |
All of | ||
Any of | ||
Redhat Openshift Container Platform | =4.13 | |
Redhat Openshift Container Platform | =4.14 | |
Any of | ||
Redhat Enterprise Linux | =8.0 | |
Redhat Enterprise Linux | =9.0 | |
redhat/cri-o | <1.29.1 | 1.29.1 |
redhat/cri-o | <1.27.3 | 1.27.3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.