2253994 – (CVE-2023-6476) CVE-2023-6476 cri-o: Pods are able to break out of resource confinement on cgroupv2

Bug 2253994 (CVE-2023-6476) - CVE-2023-6476 cri-o: Pods are able to break out of resource confinement on cgroupv2

Summary: CVE-2023-6476 cri-o: Pods are able to break out of resource confinement on cg...

Keywords:
Status:	NEW
Alias:	CVE-2023-6476
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2257495 2257496
Blocks:	2253992
TreeView+	depends on / blocked

Reported:	2023-12-11 12:28 UTC by Rohit Keshri
Modified:	2024-04-17 10:28 UTC (History)
CC List:	7 users (show)
Fixed In Version:	cri-o 1.29.1, cri-o 1.28.3, cri-o 1.27.3
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in CRI-O that involves an experimental annotation leading to a container being unconfined. This may allow a pod to specify and get any amount of memory/cpu, circumventing the kubernetes scheduler and potentially resulting in a denial of service in the node.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2023:7201	None	None	None	2024-02-27 22:28:59 UTC
Red Hat Product Errata	RHSA-2024:0195	None	None	None	2024-01-17 18:02:39 UTC
Red Hat Product Errata	RHSA-2024:0207	None	None	None	2024-01-17 17:43:27 UTC

Description Rohit Keshri 2023-12-11 12:28:36 UTC

A vulnerability in CRI-O that involves an experimental annotation leading to a container being unconfined. Back in 2021, Giuseppe put up a PR to add support for an experimental annotation that allows a user to request special resources in cgroupv2. It was supposed to be gated by an experimental annotation: `io.kubernetes.cri-o.UnifiedCgroup`, which was supposed to be filtered from the list of allowed annotations . However, there is a bug in this code which allows any user to specify this annotation, regardless of whether it's enabled on the node.

The consequences of this are a pod can specify any amount of memory/cpu and get it, circumventing the kubernetes scheduler, and potentially be able to DOS a node.

Comment 5 Nick Tait 2024-01-09 21:07:30 UTC

Created cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2257496]


Created cri-o:1.21/cri-o tracking bugs for this issue:

Affects: epel-all [bug 2257495]

Comment 8 errata-xmlrpc 2024-01-17 17:43:26 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:0207 https://access.redhat.com/errata/RHSA-2024:0207

Comment 9 errata-xmlrpc 2024-01-17 18:02:38 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:0195 https://access.redhat.com/errata/RHSA-2024:0195

Comment 14 errata-xmlrpc 2024-02-27 22:28:58 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2023:7201 https://access.redhat.com/errata/RHSA-2023:7201

Note You need to log in before you can comment on or make changes to this bug.