Bug 1578109 (CVE-2018-1000400) - CVE-2018-1000400 cri-o: capabilities are not dropped when switching to a non-root user
Summary: CVE-2018-1000400 cri-o: capabilities are not dropped when switching to a non-...
Alias: CVE-2018-1000400
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1578110 1578441 1578442
Blocks: 1578116
TreeView+ depends on / blocked
Reported: 2018-05-14 19:52 UTC by Laura Pardo
Modified: 2021-10-21 20:03 UTC (History)
26 users (show)

Fixed In Version: cri-o 1.10.1-2
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2021-10-21 20:03:11 UTC

Attachments (Terms of Use)

Description Laura Pardo 2018-05-14 19:52:25 UTC
A flaw was found in cri-o up to version 1.10.2-dev. Pod workloads fails to drop capabilities when switching to a non-root
user. This allows a non root user to create a pod and start it successfully even when the container needs privileged permissions.



Comment 1 Laura Pardo 2018-05-14 19:52:54 UTC
Created cri-o tracking bugs for this issue:

Affects: fedora-all [bug 1578110]

Comment 2 Daniel Walsh 2018-05-14 20:26:48 UTC
I believe this is fixed in cri-o-1.10.1-1.git728df92.fc27

Comment 6 Laura Pardo 2018-05-15 20:02:49 UTC

Name: OpenShift team (Red Hat)

Comment 7 Zhigang Wang 2019-09-19 17:16:59 UTC
Can we get some clarification on CVE-2018-1000400 status?

https://access.redhat.com/security/cve/cve-2018-1000400 state is "Will not fix"
and it is linked to this bz.

A customer has query about this CVE:
What problem/issue/behavior are you having trouble with?  What do you expect to see?

https://access.redhat.com/security/cve/cve-2018-1000400 states that cri-o package is affected (and won't be fixed) in OpenShift 3 without any mention of the minor version. Please confirm if the cri-o package in 3.11 is affected or not and which version contains the fix. If it's still affected, we'd like to request a fix backport.


Note You need to log in before you can comment on or make changes to this bug.