2272532 – (CVE-2024-3154) CVE-2024-3154 cri-o: Arbitrary command injection via pod annotation

Bug 2272532 (CVE-2024-3154) - CVE-2024-3154 cri-o: Arbitrary command injection via pod annotation

Summary: CVE-2024-3154 cri-o: Arbitrary command injection via pod annotation

Keywords:
Status:	NEW
Alias:	CVE-2024-3154
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2278701 2278702 2278703 2278704 2278705 2278706 2278707 2278708
Blocks:	2272534
TreeView+	depends on / blocked

Reported:	2024-04-01 19:13 UTC by Pedro Sampaio
Modified:	2024-05-16 18:31 UTC (History)
CC List:	9 users (show)
Fixed In Version:	cri-o 1.30.0, cri-o 1.29.4, cri-o 1.28.6, cri-o 1.27.6
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in cri-o, where an arbitrary systemd property can be injected via a Pod annotation. Any user who can create a pod with an arbitrary annotation may perform an arbitrary action on the host system.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2024:2669	None	None	None	2024-05-09 14:11:56 UTC
Red Hat Product Errata	RHSA-2024:2672	None	None	None	2024-05-09 17:13:42 UTC
Red Hat Product Errata	RHSA-2024:2784	None	None	None	2024-05-16 18:31:09 UTC

Description Pedro Sampaio 2024-04-01 19:13:02 UTC

On CRI-O, it looks like an arbitrary systemd property can be injected via a Pod annotation. This means that any user who can create a pod with an arbitrary annotation may perform an arbitrary action on the host system.

References:

https://github.com/opencontainers/runc/pull/3923#discussion_r1538109353
https://github.com/cri-o/cri-o/security/advisories/GHSA-2cgq-h8xw-2v5j

Comment 4 Anten Skrabec 2024-05-02 19:30:38 UTC

Created cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2278702]


Created cri-o:1.21/cri-o tracking bugs for this issue:

Affects: epel-all [bug 2278701]


Created cri-o:1.22/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2278703]


Created cri-o:1.23/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2278704]


Created cri-o:1.24/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2278705]


Created cri-o:1.25/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2278706]


Created cri-o:1.26/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2278707]


Created cri-o:1.27/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2278708]

Comment 5 errata-xmlrpc 2024-05-09 14:11:55 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:2669 https://access.redhat.com/errata/RHSA-2024:2669

Comment 6 errata-xmlrpc 2024-05-09 17:13:41 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:2672 https://access.redhat.com/errata/RHSA-2024:2672

Comment 7 errata-xmlrpc 2024-05-16 18:31:08 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:2784 https://access.redhat.com/errata/RHSA-2024:2784

Note You need to log in before you can comment on or make changes to this bug.