Cri-o pods didn't provide sufficient isolation between the workload and infra containers such that when a workload consumed a large amount of memory, the kernel accidently killed the infra container's conmon process. An attacker would use the flaw to get host network access on an Kubernetes worker node.
Acknowledgments: Name: Nick Freeman (Capsule8)
Created cri-o tracking bugs for this issue: Affects: fedora-all [bug 1774273]
Mitigation: As of cri-o v1.15 you can set conmon_cgroup = "system.slice" in the crio.runtime section of /etc/crio/crio.conf. On OpenShift Container Platform 4.x that can be done by following the documentation here: https://access.redhat.com/documentation/en-us/openshift_container_platform/4.2/html/architecture/architecture-rhcos For OpenShift Container Platform 3.x you can edit /etc/crio/crio.conf directly on the worker node if using cri-o on that version. Cri-o is not the default container engine on that version, Docker is.
External References: https://capsule8.com/blog/oomypod-nothin-to-cri-o-bout/
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.2 Via RHSA-2020:2776 https://access.redhat.com/errata/RHSA-2020:2776
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-14891
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2020:2992 https://access.redhat.com/errata/RHSA-2020:2992