Bug 2272532 (CVE-2024-3154)

Summary: CVE-2024-3154 cri-o: Arbitrary command injection via pod annotation
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: dfreiber, drow, jburrell, pehunt, rogbas, rphillips, security-response-team, sidakwo, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: cri-o 1.30.0, cri-o 1.29.4, cri-o 1.28.6, cri-o 1.27.6 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in cri-o, where an arbitrary systemd property can be injected via a Pod annotation. Any user who can create a pod with an arbitrary annotation may perform an arbitrary action on the host system.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2278701, 2278702, 2278703, 2278704, 2278705, 2278706, 2278707, 2278708    
Bug Blocks: 2272534    

Description Pedro Sampaio 2024-04-01 19:13:02 UTC 
On CRI-O, it looks like an arbitrary systemd property can be injected via a Pod annotation. This means that any user who can create a pod with an arbitrary annotation may perform an arbitrary action on the host system.

References:

https://github.com/opencontainers/runc/pull/3923#discussion_r1538109353
https://github.com/cri-o/cri-o/security/advisories/GHSA-2cgq-h8xw-2v5j
Comment 4 Anten Skrabec 2024-05-02 19:30:38 UTC 
Created cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2278702]


Created cri-o:1.21/cri-o tracking bugs for this issue:

Affects: epel-all [bug 2278701]


Created cri-o:1.22/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2278703]


Created cri-o:1.23/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2278704]


Created cri-o:1.24/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2278705]


Created cri-o:1.25/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2278706]


Created cri-o:1.26/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2278707]


Created cri-o:1.27/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2278708]
Comment 5 errata-xmlrpc 2024-05-09 14:11:55 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:2669 https://access.redhat.com/errata/RHSA-2024:2669
Comment 6 errata-xmlrpc 2024-05-09 17:13:41 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:2672 https://access.redhat.com/errata/RHSA-2024:2672
Comment 7 errata-xmlrpc 2024-05-16 18:31:08 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:2784 https://access.redhat.com/errata/RHSA-2024:2784
Comment 8 errata-xmlrpc 2024-06-05 12:10:08 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:3496 https://access.redhat.com/errata/RHSA-2024:3496