Virtual Machine Instances (VMIs) can be used to gain access to the host's filesystem.
Upstream fix: https://github.com/kubevirt/kubevirt/pull/3686
Name: Fabian Deutsch (Red Hat)
This issue has been addressed in the following products:
Via RHSA-2020:3194 https://access.redhat.com/errata/RHSA-2020:3194
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
This flaw can be partially or completely mitigated by leveraging existing mechanisms to restrict the VMI process such as running as non-root and using SELinux and sVirt whenever possible.
OpenShift Virtualization 1.4 and 2.3 use affected version of kubevirt in virt-launcher container, however impact is rated Moderate as VMIs are running as non-root and thus have limited access to the host's filesystem.