Virtual Machine Instances (VMIs) can be used to gain access to the host's filesystem. Upstream fix: https://github.com/kubevirt/kubevirt/pull/3686
Acknowledgments: Name: Fabian Deutsch (Red Hat)
This issue has been addressed in the following products: RHEL-8-CNV-2.4 RHEL-7-CNV-2.4 Via RHSA-2020:3194 https://access.redhat.com/errata/RHSA-2020:3194
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-14316
Mitigation: This flaw can be partially or completely mitigated by leveraging existing mechanisms to restrict the VMI process such as running as non-root and using SELinux and sVirt whenever possible.
Statement: OpenShift Virtualization 1.4 and 2.3 use affected version of kubevirt in virt-launcher container, however impact is rated Moderate as VMIs are running as non-root and thus have limited access to the host's filesystem.