CVE-2023-6476

Name of the Vulnerable Software and Affected Versions CRI-O versions prior to 1.29.1 CRI-O versions prior to 1.28.3 CRI-O versions prior to 1.27.3

Description A flaw was found in CRI-O that involves an experimental annotation leading to a container being unconfined. This may allow a pod to specify and get any amount of memory/cpu, circumventing the Kubernetes scheduler and potentially resulting in a denial of service in the node. The issue is related to the io.kubernetes.cri-o.UnifiedCgroup annotation, which was supposed to be filtered from the list of allowed annotations but is not due to a bug. This allows any user to specify this annotation, regardless of whether it's enabled on the node.

Recommendations For CRI-O versions prior to 1.29.1, upgrade to version 1.29.1 or later. For CRI-O versions prior to 1.28.3, upgrade to version 1.28.3 or later. For CRI-O versions prior to 1.27.3, upgrade to version 1.27.3 or later. As a temporary workaround, consider using cgroupv1 instead of cgroupv2.