Bug 2313842 (CVE-2024-8676)

Summary: CVE-2024-8676 cri-o: Checkpoint restore can be triggered from different namespaces
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: asdas, bmontgom, dpaolell, eparis, jburrell, jdelft, jupierce, lgarciaa, mbenatto, mbiarnes, mheon, nstielau, security-response-team, sidsharm, sponnaga, talessio, tsweeney, vlaad, ximhan, yuxzhu
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in CRI-O, where it can be requested to take a checkpoint archive of a container and later be asked to restore it. When it does that restoration, it attempts to restore the mounts from the restore archive instead of the pod request. As a result, the validations run on the pod spec, verifying that the pod has access to the mounts it specifies are not applicable to a restored container. This flaw allows a malicious user to trick CRI-O into restoring a pod that doesn't have access to host mounts. The user needs access to the kubelet or cri-o socket to call the restore endpoint and trigger the restore.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2343213, 2343214    
Bug Blocks:    

Description OSIDB Bzimport 2024-09-20 20:15:07 UTC 
A checkpoint restore for namespace B can be triggered from namespace A breaking pods security contexts.
Comment 2 errata-xmlrpc 2025-01-29 19:20:44 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2025:0648 https://access.redhat.com/errata/RHSA-2025:0648
Comment 4 errata-xmlrpc 2025-03-04 17:26:24 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2025:1908 https://access.redhat.com/errata/RHSA-2025:1908
Comment 6 errata-xmlrpc 2025-04-02 14:35:10 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2025:3297 https://access.redhat.com/errata/RHSA-2025:3297
Comment 7 errata-xmlrpc 2025-05-01 03:08:45 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2025:4211 https://access.redhat.com/errata/RHSA-2025:4211
Comment 8 errata-xmlrpc 2025-07-02 03:53:06 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2025:9765 https://access.redhat.com/errata/RHSA-2025:9765