Bug 2187608 (CVE-2023-30547) - CVE-2023-30547 vm2: Sandbox Escape when exception sanitization
Summary: CVE-2023-30547 vm2: Sandbox Escape when exception sanitization
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2023-30547
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2187675
Blocks: 2187607
TreeView+ depends on / blocked
 
Reported: 2023-04-18 07:02 UTC by Borja Tarraso
Modified: 2023-04-27 05:47 UTC (History)
10 users (show)

Fixed In Version: vm2 3.9.17
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the vm2 sandbox. When exception handling is triggered, an unsanitized host is not managed properly. This issue may allow an attacker to bypass the sandbox protections, which can lead to remote code execution on the hypervisor host or the host that is running the sandbox.
Clone Of:
Environment:
Last Closed: 2023-04-20 07:35:25 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:1887 0 None None None 2023-04-19 23:50:33 UTC
Red Hat Product Errata RHSA-2023:1888 0 None None None 2023-04-20 01:39:33 UTC
Red Hat Product Errata RHSA-2023:1893 0 None None None 2023-04-20 01:52:18 UTC
Red Hat Product Errata RHSA-2023:1894 0 None None None 2023-04-20 01:54:14 UTC
Red Hat Product Errata RHSA-2023:1896 0 None None None 2023-04-20 02:16:34 UTC
Red Hat Product Errata RHSA-2023:1897 0 None None None 2023-04-20 02:16:27 UTC

Description Borja Tarraso 2023-04-18 07:02:14 UTC 
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. There exists a vulnerability in exception sanitization of vm2 for versions up to 3.9.16, allowing attackers to raise an unsanitized host exception inside `handleException()` which can be used to escape the sandbox and run arbitrary code in host context. This vulnerability was patched in the release of version `3.9.17` of `vm2`. There are no known workarounds for this vulnerability. Users are advised to upgrade.

https://github.com/patriksimek/vm2/commit/f3db4dee4d76b19869df05ba7880d638a880edd5
https://github.com/patriksimek/vm2/commit/4b22e87b102d97d45d112a0931dba1aef7eea049
https://github.com/patriksimek/vm2/security/advisories/GHSA-ch3r-j5x3-6q2m
https://gist.github.com/leesh3288/381b230b04936dd4d74aaf90cc8bb244
Comment 3 errata-xmlrpc 2023-04-19 23:50:31 UTC 
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.2 for RHEL 8

Via RHSA-2023:1887 https://access.redhat.com/errata/RHSA-2023:1887
Comment 4 errata-xmlrpc 2023-04-20 01:39:32 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.7 for RHEL 8

Via RHSA-2023:1888 https://access.redhat.com/errata/RHSA-2023:1888
Comment 5 errata-xmlrpc 2023-04-20 01:52:16 UTC 
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.0 for RHEL 8

Via RHSA-2023:1893 https://access.redhat.com/errata/RHSA-2023:1893
Comment 6 errata-xmlrpc 2023-04-20 01:54:13 UTC 
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.1 for RHEL 8

Via RHSA-2023:1894 https://access.redhat.com/errata/RHSA-2023:1894
Comment 7 errata-xmlrpc 2023-04-20 02:16:25 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2023:1897 https://access.redhat.com/errata/RHSA-2023:1897
Comment 8 errata-xmlrpc 2023-04-20 02:16:32 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8

Via RHSA-2023:1896 https://access.redhat.com/errata/RHSA-2023:1896
Comment 9 Product Security DevOps Team 2023-04-20 07:35:22 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-30547
Note You need to log in before you can comment on or make changes to this bug.