Bug 2141733
| Summary: | Rook Ceph crashcollector: Container breakout | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Sage McTaggart <amctagga> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | amctagga, aoconnor, bniver, flucifre, gmeno, mbenjamin, mhackett, sostapov, vereddy |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A flaw was found in Ceph-Rook. An attacker with root capabilities can escape the cgroup isolation and gain access to unauthorized information. This issue impacts confidentiality, integrity, and availability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-12-08 18:55:24 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2141734, 2141735 | ||
| Bug Blocks: | 2141732 | ||
|
Description
Sage McTaggart
2022-11-10 16:17:25 UTC
Fix Recommendation To help keep containers secure: Do not use privileged flag, it disables all the security mechanisms placed by docker. Do not run containers as the root user. Use SecComp and AppArmor profiles to harden the container. Do not mount root volumes into the container This is actually a report of CVE-2022-0492[1][2] as applied to Ceph on Openshift using RHEL as a base platform. As a result of the flaw in RHEL (as used as the base image), a customer's pentest showed this to be affected. However, there is no evidence this is an independent flaw, and thus, there is no additional impact to Confidentiality, Integrity, or Availability, and no security boundaries being crossed. In addition, this requires running as root and CAP_SYS_ADMIN capability, which is not an approved configuration. [1] https://unit42.paloaltonetworks.com/cve-2022-0492-cgroups/ [2] https://access.redhat.com/security/cve/cve-2022-0492 |