Bug 2253994 (CVE-2023-6476)

Summary: CVE-2023-6476 cri-o: Pods are able to break out of resource confinement on cgroupv2
Product: [Other] Security Response Reporter: Rohit Keshri <rkeshri>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aguadarr, dfreiber, drow, jburrell, rogbas, security-response-team, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: cri-o 1.29.1, cri-o 1.28.3, cri-o 1.27.3 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in CRI-O that involves an experimental annotation leading to a container being unconfined. This may allow a pod to specify and get any amount of memory/cpu, circumventing the kubernetes scheduler and potentially resulting in a denial of service in the node.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2257495, 2257496    
Bug Blocks: 2253992    

Description Rohit Keshri 2023-12-11 12:28:36 UTC 
A vulnerability in CRI-O that involves an experimental annotation leading to a container being unconfined. Back in 2021, Giuseppe put up a PR to add support for an experimental annotation that allows a user to request special resources in cgroupv2. It was supposed to be gated by an experimental annotation: `io.kubernetes.cri-o.UnifiedCgroup`, which was supposed to be filtered from the list of allowed annotations . However, there is a bug in this code which allows any user to specify this annotation, regardless of whether it's enabled on the node.

The consequences of this are a pod can specify any amount of memory/cpu and get it, circumventing the kubernetes scheduler, and potentially be able to DOS a node.
Comment 5 Nick Tait 2024-01-09 21:07:30 UTC 
Created cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2257496]


Created cri-o:1.21/cri-o tracking bugs for this issue:

Affects: epel-all [bug 2257495]
Comment 8 errata-xmlrpc 2024-01-17 17:43:26 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:0207 https://access.redhat.com/errata/RHSA-2024:0207
Comment 9 errata-xmlrpc 2024-01-17 18:02:38 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:0195 https://access.redhat.com/errata/RHSA-2024:0195
Comment 14 errata-xmlrpc 2024-02-27 22:28:58 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2023:7201 https://access.redhat.com/errata/RHSA-2023:7201