Bug 2208376 (CVE-2023-32314)

Summary: CVE-2023-32314 vm2: Sandbox Escape
Product: [Other] Security Response Reporter: Borja Tarraso <btarraso>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: dkuc, fjansen, gparvin, hkataria, kshier, njean, owatkins, pahickey, stcannon, teagle
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: vm2 3.9.18 Doc Type: ---
Doc Text:
A flaw was found in the vm2 sandbox. When a host object is created based on the specification of Proxy, an attacker can bypass the sandbox protections. This may allow an attacker to run remote code execution on the host running the sandbox. This vulnerability impacts the confidentiality, integrity, and availability of the system.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-31 02:33:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2208382    
Bug Blocks: 2208369    

Description Borja Tarraso 2023-05-18 18:48:30 UTC 
vm2 is a sandbox that can run untrusted code with Node's built-in modules. A sandbox escape vulnerability exists in vm2 for versions up to and including 3.9.17. It abuses an unexpected creation of a host object based on the specification of `Proxy`. As a result a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version `3.9.18` of `vm2`. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Comment 2 Borja Tarraso 2023-05-18 19:05:04 UTC 
*** Bug 2208343 has been marked as a duplicate of this bug. ***
Comment 4 errata-xmlrpc 2023-05-24 15:23:45 UTC 
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.2 for RHEL 8

Via RHSA-2023:3296 https://access.redhat.com/errata/RHSA-2023:3296
Comment 5 errata-xmlrpc 2023-05-24 18:04:02 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.7 for RHEL 8

Via RHSA-2023:3297 https://access.redhat.com/errata/RHSA-2023:3297
Comment 6 errata-xmlrpc 2023-05-25 16:23:48 UTC 
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.1 for RHEL 8

Via RHSA-2023:3325 https://access.redhat.com/errata/RHSA-2023:3325
Comment 7 errata-xmlrpc 2023-05-26 07:55:59 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2023:3326 https://access.redhat.com/errata/RHSA-2023:3326
Comment 8 errata-xmlrpc 2023-05-30 16:49:07 UTC 
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.0 for RHEL 8

Via RHSA-2023:3353 https://access.redhat.com/errata/RHSA-2023:3353
Comment 9 errata-xmlrpc 2023-05-30 21:02:09 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8

Via RHSA-2023:3356 https://access.redhat.com/errata/RHSA-2023:3356
Comment 10 Product Security DevOps Team 2023-05-31 02:33:10 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-32314