Bug 2215555 (CVE-2023-2431)

Summary: CVE-2023-2431 kubernetes: Bypass of seccomp profile enforcement
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: adudiak, akarol, amctagga, aveerama, bbuckingham, bcourt, cwelton, dfreiber, dhughes, dmetzger, dsimansk, dymurray, eglynn, ehelms, ellin, gmccullo, gtanzill, jburrell, jchaloup, jhardy, jjoyce, jkoehler, jmatthew, jsherril, kshier, lball, lhh, lzap, matzew, mburns, mgarciac, mhulan, muagarwa, myarboro, nbecker, nmoumoul, nobody, orabin, pcreech, pgrist, rchan, rhos-maint, rhuss, rjohnson, rogbas, roliveri, scorneli, shbose, simaishi, skontopo, smallamp, stcannon, tfister, ubhargav, vkumar, whayutin, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Kubernetes. This issue occurs when Kubernetes allows a local authenticated attacker to bypass security restrictions, caused by a flaw when using the localhost type for a seccomp profile but specifying an empty profile field. An attacker can bypass the seccomp profile enforcement by sending a specially crafted request.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2219241, 2215556, 2215559, 2215560, 2215561, 2219238, 2219239, 2219240, 2219242, 2219260    
Bug Blocks: 2215557    

Description Guilherme de Almeida Suckevicz 2023-06-16 13:59:30 UTC 
A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement. Pods that use localhost type for seccomp profile but specify an empty profile field, are affected by this issue. In this scenario, this vulnerability allows the pod to run in unconfined (seccomp disabled) mode. This bug affects Kubelet.

References:
https://groups.google.com/g/kubernetes-security-announce/c/QHmx0HOQa10
https://github.com/kubernetes/kubernetes/issues/118690
Comment 1 Guilherme de Almeida Suckevicz 2023-06-16 13:59:52 UTC 
Created kubernetes tracking bugs for this issue:

Affects: fedora-all [bug 2215556]
Comment 4 Fedora Update System 2023-06-27 10:55:07 UTC 
FEDORA-2023-c7f63322b5 has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 13 errata-xmlrpc 2023-10-30 00:25:13 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:6156 https://access.redhat.com/errata/RHSA-2023:6156