Cri-o: pods are able to break out of resource confinement on cgroupv2
CVE-2023-6476

6.5MEDIUM

Key Information:

Vendor

Red Hat
Status
Red Hat Openshift Container Platform 4.13
Red Hat Openshift Container Platform 4.14
Red Hat Openshift Container Platform 3.11
Vendor
CVE Published:
9 January 2024

What is CVE-2023-6476?

A critical flaw exists in the CRI-O runtime, which is related to experimental annotations that can lead to a container running in an unconfined state. This vulnerability allows a pod to gain control over memory and CPU resources beyond standard limits, effectively bypassing the Kubernetes scheduler's resource management. The repercussions of this vulnerability could include a denial of service on the affected node, as it can lead to resource exhaustion and instability. Monitoring and patching affected versions are essential to mitigate risks associated with this vulnerability.

Affected Version(s)

Red Hat OpenShift Container Platform 4.13 0:1.26.4-6.1.rhaos4.13.git9eb9cf3.el9

Red Hat OpenShift Container Platform 4.14 0:1.27.2-7.rhaos4.14.git1cc7a64.el9

References

https://access.redhat.com/errata/RHSA-2024:0195
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:0207
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2023-6476
vdb-entryx_refsource_REDHAT

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2023-6476 : Cri-o: pods are able to break out of resource confinement on cgroupv2