2134063 – (CVE-2022-3466) CVE-2022-3466 cri-o: Security regression of CVE-2022-27652

Bug 2134063 (CVE-2022-3466) - CVE-2022-3466 cri-o: Security regression of CVE-2022-27652

Summary: CVE-2022-3466 cri-o: Security regression of CVE-2022-27652

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2022-3466
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2064591
TreeView+	depends on / blocked

Reported:	2022-10-12 10:18 UTC by Mauro Matteo Cascella
Modified:	2023-09-11 20:46 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	The version of cri-o as released for Red Hat OpenShift Container Platform 4.9.48, 4.10.31, and 4.11.6 via RHBA-2022:6316, RHBA-2022:6257, and RHBA-2022:6658, respectively, included an incorrect version of cri-o missing the fix for CVE-2022-27652, which was previously fixed in OCP 4.9.41 and 4.10.12 via RHBA-2022:5433 and RHSA-2022:1600. This issue could allow an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs. For more details, see https://access.redhat.com/security/cve/CVE-2022-27652.
Clone Of:
Environment:
Last Closed:	2023-01-21 07:52:10 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2022:7398	0	None	None	None	2023-01-17 14:51:45 UTC

Description Mauro Matteo Cascella 2022-10-12 10:18:46 UTC

The following cri-o packages as released for Red Hat OpenShift Container Platform 4.9.48, 4.10.31 and 4.11.6 included an incorrect version of cri-o that was missing the fix for CVE-2022-27652:

- cri-o-1.22.5-10.rhaos4.9.gitd14fede.el8 via RHBA-2022:6316 (https://access.redhat.com/errata/RHBA-2022:6316)
- cri-o-1.23.3-16.rhaos4.10.gitd7c9b35.el8 via RHBA-2022:6257 (https://access.redhat.com/errata/RHBA-2022:6257)
- cri-o-1.24.2-7.rhaos4.11.gitca400e0.el8 via RHBA-2022:6658 (https://access.redhat.com/errata/RHBA-2022:6658)

The regressed CVE-2022-27652 was previously corrected in Red Hat OpenShift Container Platform 4.9.41 and 4.10.12 via RHBA-2022:5433 and RHSA-2022:1600, respectively.

CVE-2022-3466 was assigned to this security regression and it is specific to the cri-o packages produced by Red Hat. The original issue could allow an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs. For more details about the original issue, see:

https://access.redhat.com/security/cve/CVE-2022-27652
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2022-27652

Comment 2 errata-xmlrpc 2023-01-17 14:51:43 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2022:7398 https://access.redhat.com/errata/RHSA-2022:7398

Comment 3 Product Security DevOps Team 2023-01-21 07:52:07 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-3466

Note You need to log in before you can comment on or make changes to this bug.