Bug 2134063 (CVE-2022-3466)

Summary: CVE-2022-3466 cri-o: Security regression of CVE-2022-27652
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jburrell, rdey, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
The version of cri-o as released for Red Hat OpenShift Container Platform 4.9.48, 4.10.31, and 4.11.6 via RHBA-2022:6316, RHBA-2022:6257, and RHBA-2022:6658, respectively, included an incorrect version of cri-o missing the fix for CVE-2022-27652, which was previously fixed in OCP 4.9.41 and 4.10.12 via RHBA-2022:5433 and RHSA-2022:1600. This issue could allow an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs. For more details, see https://access.redhat.com/security/cve/CVE-2022-27652.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-01-21 07:52:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2064591    

Description Mauro Matteo Cascella 2022-10-12 10:18:46 UTC 
The following cri-o packages as released for Red Hat OpenShift Container Platform 4.9.48, 4.10.31 and 4.11.6 included an incorrect version of cri-o that was missing the fix for CVE-2022-27652:

- cri-o-1.22.5-10.rhaos4.9.gitd14fede.el8 via RHBA-2022:6316 (https://access.redhat.com/errata/RHBA-2022:6316)
- cri-o-1.23.3-16.rhaos4.10.gitd7c9b35.el8 via RHBA-2022:6257 (https://access.redhat.com/errata/RHBA-2022:6257)
- cri-o-1.24.2-7.rhaos4.11.gitca400e0.el8 via RHBA-2022:6658 (https://access.redhat.com/errata/RHBA-2022:6658)

The regressed CVE-2022-27652 was previously corrected in Red Hat OpenShift Container Platform 4.9.41 and 4.10.12 via RHBA-2022:5433 and RHSA-2022:1600, respectively.

CVE-2022-3466 was assigned to this security regression and it is specific to the cri-o packages produced by Red Hat. The original issue could allow an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs. For more details about the original issue, see:

https://access.redhat.com/security/cve/CVE-2022-27652
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2022-27652
Comment 2 errata-xmlrpc 2023-01-17 14:51:43 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2022:7398 https://access.redhat.com/errata/RHSA-2022:7398
Comment 3 Product Security DevOps Team 2023-01-21 07:52:07 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-3466