CVE-2022-0811

Name of the Vulnerable Software and Affected Versions CRI-O versions 1.19 through 1.23.1 CRI-O versions prior to 1.19.6 CRI-O versions prior to 1.20.7 CRI-O versions prior to 1.21.6 CRI-O versions prior to 1.22.3 CRI-O versions prior to 1.23.2 CRI-O version 1.24.0 and earlier

Description A flaw was found in CRI-O in the way it set kernel options for a pod, allowing anyone with rights to deploy a pod on a Kubernetes cluster that uses the CRI-O runtime to achieve a container escape and arbitrary code execution as root on the cluster node. The issue is related to the lack of proper validation of kernel parameters, which can be exploited by an attacker to bypass safeguards and set arbitrary kernel parameters on the host. This can lead to container escape and arbitrary code execution as root on any node in the cluster.

Recommendations For CRI-O versions 1.19 through 1.23.1, update to version 1.23.2 or later to fix the issue. For CRI-O versions prior to 1.19.6, update to version 1.19.6 or later to fix the issue. For CRI-O versions prior to 1.20.7, update to version 1.20.7 or later to fix the issue. For CRI-O versions prior to 1.21.6, update to version 1.21.6 or later to fix the issue. For CRI-O versions prior to 1.22.3, update to version 1.22.3 or later to fix the issue. For CRI-O versions prior to 1.23.2, update to version 1.23.2 or later to fix the issue. For CRI-O version 1.24.0 and earlier, update to a version later than 1.24.0 to fix the issue. As a temporary workaround, consider setting manage ns lifecycle to false, which causes the sysctls to be configured by the OCI runtime, or creating an admission webhook to deny pods that specify a + in the sysctl value of a pod.