CVE-2023-0229

Name of the Vulnerable Software and Affected Versions OpenShift versions 4.11 through 4.12

Description A flaw was found in the apiserver-library-go package that can allow low-privileged users to set the seccomp profile for pods they control to "unconfined." The seccomp profile used in the restricted-v2 Security Context Constraint (SCC) is "runtime/default" by default, which allows users to disable seccomp for pods they can create and modify.

Recommendations For OpenShift versions 4.11 and 4.12, consider restricting the ability of low-privileged users to set the seccomp profile for pods they control to prevent potential exploitation. As a temporary workaround, consider disabling the use of the "unconfined" seccomp profile for pods until a patch is available. Restrict access to the restricted-v2 Security Context Constraint (SCC) to minimize the risk of exploitation.