CVE-2024-3154: Cri-o: arbitrary command injection via pod annotation
First published: Mon Apr 01 2024(Updated: )
## Withdrawn Advisory This advisory has been withdrawn because it was incorrectly attributed to runc. Please see the issue [here](https://github.com/opencontainers/runc/issues/4263) for more information. ## Original Description A flaw was found in cri-o, where an arbitrary systemd property can be injected via a Pod annotation. Any user who can create a pod with an arbitrary annotation may perform an arbitrary action on the host system. This issue has its root in how runc handles Config Annotations lists.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| go/github.com/cri-o/cri-o | <=1.27.5 | 1.27.6 |
| go/github.com/cri-o/cri-o | >=1.28.0<=1.28.5 | 1.28.6 |
| go/github.com/cri-o/cri-o | >=1.29.0<=1.29.3 | 1.29.4 |
| go/github.com/opencontainers/runc | <1.2.0-rc.1 | 1.2.0-rc.1 |
| redhat/cri-o | <1.30.0 | 1.30.0 |
| redhat/cri-o | <1.29.4 | 1.29.4 |
| redhat/cri-o | <1.27.6 | 1.27.6 |
| IBM Concert Software | <=1.0.0 - 1.0.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/cri-o/cri-o/security/advisories/GHSA-2cgq-h8xw-2v5j
- https://nvd.nist.gov/vuln/detail/CVE-2024-3154
- https://github.com/opencontainers/runc/pull/4217
- https://access.redhat.com/security/cve/CVE-2024-3154
- https://bugzilla.redhat.com/show_bug.cgi?id=2272532
- https://github.com/opencontainers/runtime-spec/blob/main/features.md#unsafe-annotations-in-configjson
- https://github.com/advisories/GHSA-2cgq-h8xw-2v5j (Advisory)
- https://github.com/opencontainers/runc/commit/3db0871f1cf25c7025861ba0d51d25794cb21623
- https://access.redhat.com/errata/RHSA-2024:2669
- https://access.redhat.com/errata/RHSA-2024:2672
- https://access.redhat.com/errata/RHSA-2024:2784
- https://access.redhat.com/errata/RHSA-2024:3496
- https://github.com/advisories/GHSA-c5pj-mqfh-rvc3 (Advisory)
- https://github.com/opencontainers/runc/pull/3923#discussion_r1538109353
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2278702
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2278701
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2278703
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2278704
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2278705
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2278706
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2278707
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2278708
- https://www.ibm.com/support/pages/node/7173596 (Advisory)
- agent/weakness
- agent/title
- agent/type
- agent/first-publish-date
- agent/severity
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/author
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-2cgq-h8xw-2v5j
- alias/CVE-2024-3154
- agent/software-canonical-lookup
- agent/description
- agent/softwarecombine
- agent/event
- alias/GHSA-c5pj-mqfh-rvc3
- agent/references
- agent/tags
- collector/nvd-cve
- source/NVD
- collector/nvd-api
- collector/redhat-bugzilla
- source/Red Hat
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/ibm-support
- source/IBM
- package-manager/go
- package-manager/redhat
- vendor/ibm
- canonical/ibm concert software
- version/ibm concert software/1.0.0 - 1.0.1