What was the original description of CVE-2024-3154?

CVE-2024-3154 was originally described as a flaw found in cri-o that allowed for arbitrary systemd manipulation.

Which versions of cri-o are affected by CVE-2024-3154?

CVE-2024-3154 affects cri-o versions up to 1.27.5, between 1.28.0 and 1.28.5, and between 1.29.0 and 1.29.3.

What is the recommended fix for CVE-2024-3154?

To fix CVE-2024-3154, upgrade cri-o to version 1.27.6, 1.28.6, or 1.29.4, or use the appropriate version for other affected packages.

Is there any specific software or products impacted by CVE-2024-3154?

Yes, IBM Concert Software versions 1.0.0 to 1.0.1 are also impacted by CVE-2024-3154.

What actions have been taken regarding CVE-2024-3154's advisory status?

The advisory for CVE-2024-3154 has been withdrawn due to incorrect attribution to runc.

Vulnerability/
CVE-2024-3154

high

7.2

CWE

EPSS

0.045%

1/4/2024

26/4/2024

4/2/2025

CVE-2024-3154: Cri-o: arbitrary command injection via pod annotation

First published: Mon Apr 01 2024(Updated: )

## Withdrawn Advisory This advisory has been withdrawn because it was incorrectly attributed to runc. Please see the issue [here](https://github.com/opencontainers/runc/issues/4263) for more information. ## Original Description A flaw was found in cri-o, where an arbitrary systemd property can be injected via a Pod annotation. Any user who can create a pod with an arbitrary annotation may perform an arbitrary action on the host system. This issue has its root in how runc handles Config Annotations lists.

Credit: secalert@redhat.com secalert@redhat.com

Affected Software	Affected Version	How to fix
go/github.com/cri-o/cri-o	<=1.27.5	1.27.6
go/github.com/cri-o/cri-o	>=1.28.0<=1.28.5	1.28.6
go/github.com/cri-o/cri-o	>=1.29.0<=1.29.3	1.29.4
go/github.com/opencontainers/runc	<1.2.0-rc.1	1.2.0-rc.1
redhat/cri-o	<1.30.0	1.30.0
redhat/cri-o	<1.29.4	1.29.4
redhat/cri-o	<1.27.6	1.27.6
IBM Concert Software	<=1.0.0 - 1.0.1

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

IBM-7182403

Frequently Asked Questions

What was the original description of CVE-2024-3154?
CVE-2024-3154 was originally described as a flaw found in cri-o that allowed for arbitrary systemd manipulation.
Which versions of cri-o are affected by CVE-2024-3154?
CVE-2024-3154 affects cri-o versions up to 1.27.5, between 1.28.0 and 1.28.5, and between 1.29.0 and 1.29.3.
What is the recommended fix for CVE-2024-3154?
To fix CVE-2024-3154, upgrade cri-o to version 1.27.6, 1.28.6, or 1.29.4, or use the appropriate version for other affected packages.
Is there any specific software or products impacted by CVE-2024-3154?
Yes, IBM Concert Software versions 1.0.0 to 1.0.1 are also impacted by CVE-2024-3154.
What actions have been taken regarding CVE-2024-3154's advisory status?
The advisory for CVE-2024-3154 has been withdrawn due to incorrect attribution to runc.

agent/weakness
agent/title
agent/type
agent/first-publish-date
agent/severity
collector/epss-latest
source/FIRST
agent/epss
agent/author
collector/github-advisory-latest
source/GitHub
alias/GHSA-2cgq-h8xw-2v5j
alias/CVE-2024-3154
agent/software-canonical-lookup
agent/event
alias/GHSA-c5pj-mqfh-rvc3
collector/nvd-cve
source/NVD
collector/redhat-bugzilla
source/Red Hat
collector/mitre-cve
source/MITRE
agent/references
agent/softwarecombine
agent/description
collector/nvd-api
agent/last-modified-date
agent/trending
agent/source
agent/tags
collector/ibm-support
source/IBM
package-manager/go
package-manager/redhat