Cri-o: pods are able to break out of resource confinement on cgroupv2
CVE-2023-6476

7.5HIGH

Key Information:

Vendor
Red Hat
Status
kernel
Red Hat OpenShift Container Platform 4.13
Red Hat OpenShift Container Platform 4.14
Red Hat OpenShift Container Platform 3.11
Vendor
CVE Published:
9 January 2024

Summary

A critical flaw exists in the CRI-O runtime, which is related to experimental annotations that can lead to a container running in an unconfined state. This vulnerability allows a pod to gain control over memory and CPU resources beyond standard limits, effectively bypassing the Kubernetes scheduler's resource management. The repercussions of this vulnerability could include a denial of service on the affected node, as it can lead to resource exhaustion and instability. Monitoring and patching affected versions are essential to mitigate risks associated with this vulnerability.

References

https://access.redhat.com/errata/RHSA-2024:0195
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:0207
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2023-6476
vdb-entryx_refsource_REDHAT

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database
.