Bug 2187608 (CVE-2023-30547)

Summary: CVE-2023-30547 vm2: Sandbox Escape when exception sanitization
Product: [Other] Security Response Reporter: Borja Tarraso <btarraso>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: dkuc, fjansen, gparvin, hkataria, kshier, njean, owatkins, pahickey, stcannon, teagle
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: vm2 3.9.17 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the vm2 sandbox. When exception handling is triggered, an unsanitized host is not managed properly. This issue may allow an attacker to bypass the sandbox protections, which can lead to remote code execution on the hypervisor host or the host that is running the sandbox.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-04-20 07:35:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2187675    
Bug Blocks: 2187607    

Description Borja Tarraso 2023-04-18 07:02:14 UTC 
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. There exists a vulnerability in exception sanitization of vm2 for versions up to 3.9.16, allowing attackers to raise an unsanitized host exception inside `handleException()` which can be used to escape the sandbox and run arbitrary code in host context. This vulnerability was patched in the release of version `3.9.17` of `vm2`. There are no known workarounds for this vulnerability. Users are advised to upgrade.

https://github.com/patriksimek/vm2/commit/f3db4dee4d76b19869df05ba7880d638a880edd5
https://github.com/patriksimek/vm2/commit/4b22e87b102d97d45d112a0931dba1aef7eea049
https://github.com/patriksimek/vm2/security/advisories/GHSA-ch3r-j5x3-6q2m
https://gist.github.com/leesh3288/381b230b04936dd4d74aaf90cc8bb244
Comment 3 errata-xmlrpc 2023-04-19 23:50:31 UTC 
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.2 for RHEL 8

Via RHSA-2023:1887 https://access.redhat.com/errata/RHSA-2023:1887
Comment 4 errata-xmlrpc 2023-04-20 01:39:32 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.7 for RHEL 8

Via RHSA-2023:1888 https://access.redhat.com/errata/RHSA-2023:1888
Comment 5 errata-xmlrpc 2023-04-20 01:52:16 UTC 
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.0 for RHEL 8

Via RHSA-2023:1893 https://access.redhat.com/errata/RHSA-2023:1893
Comment 6 errata-xmlrpc 2023-04-20 01:54:13 UTC 
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.1 for RHEL 8

Via RHSA-2023:1894 https://access.redhat.com/errata/RHSA-2023:1894
Comment 7 errata-xmlrpc 2023-04-20 02:16:25 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2023:1897 https://access.redhat.com/errata/RHSA-2023:1897
Comment 8 errata-xmlrpc 2023-04-20 02:16:32 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8

Via RHSA-2023:1896 https://access.redhat.com/errata/RHSA-2023:1896
Comment 9 Product Security DevOps Team 2023-04-20 07:35:22 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-30547