A flaw was found in cri-o up to version 1.10.2-dev. Pod workloads fails to drop capabilities when switching to a non-root user. This allows a non root user to create a pod and start it successfully even when the container needs privileged permissions. References: https://bugzilla.redhat.com/show_bug.cgi?id=1572526 Patch: https://github.com/kubernetes-incubator/cri-o/pull/1544
Created cri-o tracking bugs for this issue: Affects: fedora-all [bug 1578110]
I believe this is fixed in cri-o-1.10.1-1.git728df92.fc27
Acknowledgments: Name: OpenShift team (Red Hat)
Can we get some clarification on CVE-2018-1000400 status? https://access.redhat.com/security/cve/cve-2018-1000400 state is "Will not fix" and it is linked to this bz. A customer has query about this CVE: What problem/issue/behavior are you having trouble with? What do you expect to see? https://access.redhat.com/security/cve/cve-2018-1000400 states that cri-o package is affected (and won't be fixed) in OpenShift 3 without any mention of the minor version. Please confirm if the cri-o package in 3.11 is affected or not and which version contains the fix. If it's still affected, we'd like to request a fix backport. Thanks