Bug 1578109 (CVE-2018-1000400)

Summary: CVE-2018-1000400 cri-o: capabilities are not dropped when switching to a non-root user
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abhgupta, ahardin, amurdaca, aos-bugs, bleanhar, bmontgom, ccoleman, dbaker, dedgar, dominik.mierzejewski, dwalsh, eparis, jburrell, jgoulding, jokerman, lsm5, mchappel, mpatel, nstielau, rphillips, santiago, sfowler, sponnaga, sthangav, trankin, zhigwang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: cri-o 1.10.1-2 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-21 20:03:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1578110, 1578441, 1578442    
Bug Blocks: 1578116    

Description Laura Pardo 2018-05-14 19:52:25 UTC 
A flaw was found in cri-o up to version 1.10.2-dev. Pod workloads fails to drop capabilities when switching to a non-root
user. This allows a non root user to create a pod and start it successfully even when the container needs privileged permissions.


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1572526

Patch:
https://github.com/kubernetes-incubator/cri-o/pull/1544
Comment 1 Laura Pardo 2018-05-14 19:52:54 UTC 
Created cri-o tracking bugs for this issue:

Affects: fedora-all [bug 1578110]
Comment 2 Daniel Walsh 2018-05-14 20:26:48 UTC 
I believe this is fixed in cri-o-1.10.1-1.git728df92.fc27
Comment 6 Laura Pardo 2018-05-15 20:02:49 UTC 
Acknowledgments:

Name: OpenShift team (Red Hat)
Comment 7 Zhigang Wang 2019-09-19 17:16:59 UTC 
Can we get some clarification on CVE-2018-1000400 status?

https://access.redhat.com/security/cve/cve-2018-1000400 state is "Will not fix"
and it is linked to this bz.

A customer has query about this CVE:
	
What problem/issue/behavior are you having trouble with?  What do you expect to see?

https://access.redhat.com/security/cve/cve-2018-1000400 states that cri-o package is affected (and won't be fixed) in OpenShift 3 without any mention of the minor version. Please confirm if the cri-o package in 3.11 is affected or not and which version contains the fix. If it's still affected, we'd like to request a fix backport.

Thanks