Bug 2208376 (CVE-2023-32314) - CVE-2023-32314 vm2: Sandbox Escape
Summary: CVE-2023-32314 vm2: Sandbox Escape
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2023-32314
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 2208343 (view as bug list)
Depends On: 2208382
Blocks: 2208369
TreeView+ depends on / blocked
 
Reported: 2023-05-18 18:48 UTC by Borja Tarraso
Modified: 2023-05-31 02:33 UTC (History)
10 users (show)

Fixed In Version: vm2 3.9.18
Doc Type: ---
Doc Text:
A flaw was found in the vm2 sandbox. When a host object is created based on the specification of Proxy, an attacker can bypass the sandbox protections. This may allow an attacker to run remote code execution on the host running the sandbox. This vulnerability impacts the confidentiality, integrity, and availability of the system.
Clone Of:
Environment:
Last Closed: 2023-05-31 02:33:13 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:3296 0 None None None 2023-05-24 15:23:46 UTC
Red Hat Product Errata RHSA-2023:3297 0 None None None 2023-05-24 18:04:03 UTC
Red Hat Product Errata RHSA-2023:3325 0 None None None 2023-05-25 16:23:50 UTC
Red Hat Product Errata RHSA-2023:3326 0 None None None 2023-05-26 07:56:00 UTC
Red Hat Product Errata RHSA-2023:3353 0 None None None 2023-05-30 16:49:08 UTC
Red Hat Product Errata RHSA-2023:3356 0 None None None 2023-05-30 21:02:11 UTC

Description Borja Tarraso 2023-05-18 18:48:30 UTC 
vm2 is a sandbox that can run untrusted code with Node's built-in modules. A sandbox escape vulnerability exists in vm2 for versions up to and including 3.9.17. It abuses an unexpected creation of a host object based on the specification of `Proxy`. As a result a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version `3.9.18` of `vm2`. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Comment 2 Borja Tarraso 2023-05-18 19:05:04 UTC 
*** Bug 2208343 has been marked as a duplicate of this bug. ***
Comment 4 errata-xmlrpc 2023-05-24 15:23:45 UTC 
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.2 for RHEL 8

Via RHSA-2023:3296 https://access.redhat.com/errata/RHSA-2023:3296
Comment 5 errata-xmlrpc 2023-05-24 18:04:02 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.7 for RHEL 8

Via RHSA-2023:3297 https://access.redhat.com/errata/RHSA-2023:3297
Comment 6 errata-xmlrpc 2023-05-25 16:23:48 UTC 
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.1 for RHEL 8

Via RHSA-2023:3325 https://access.redhat.com/errata/RHSA-2023:3325
Comment 7 errata-xmlrpc 2023-05-26 07:55:59 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2023:3326 https://access.redhat.com/errata/RHSA-2023:3326
Comment 8 errata-xmlrpc 2023-05-30 16:49:07 UTC 
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.0 for RHEL 8

Via RHSA-2023:3353 https://access.redhat.com/errata/RHSA-2023:3353
Comment 9 errata-xmlrpc 2023-05-30 21:02:09 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8

Via RHSA-2023:3356 https://access.redhat.com/errata/RHSA-2023:3356
Comment 10 Product Security DevOps Team 2023-05-31 02:33:10 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-32314
Note You need to log in before you can comment on or make changes to this bug.