Bug 1772280 (CVE-2019-14891) - CVE-2019-14891 cri-o: infra container reparented to systemd following OOM Killer killing it's conmon
Summary: CVE-2019-14891 cri-o: infra container reparented to systemd following OOM Kil...
Keywords:
Status: NEW
Alias: CVE-2019-14891
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1774270 1774271 1774272 1774273 1774269
Blocks: 1770013
TreeView+ depends on / blocked
 
Reported: 2019-11-14 01:23 UTC by Jason Shepherd
Modified: 2020-01-07 16:13 UTC (History)
13 users (show)

Fixed In Version: cri-o-1.16.1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in cri-o, as a result of all pod-related processes being placed in the same memory cgroup. This can result in container management (conmon) processes being killed if a workload process triggers an out-of-memory (OOM) condition for the cgroup. An attacker could abuse this flaw to get host network access on an cri-o host.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Jason Shepherd 2019-11-14 01:23:39 UTC
Cri-o pods didn't provide sufficient isolation between the workload and infra containers such that when a workload consumed a large amount of memory, the kernel accidently killed the infra container's conmon process. An attacker would use the flaw to get host network access on an Kubernetes worker node.

Comment 8 Jason Shepherd 2019-11-19 06:35:39 UTC
Acknowledgments:

Name: Nick Freeman (Capsule8)

Comment 10 Jason Shepherd 2019-11-19 22:55:38 UTC
Created cri-o tracking bugs for this issue:

Affects: fedora-all [bug 1774273]

Comment 16 Jason Shepherd 2019-11-24 22:43:39 UTC
Mitigation:

As of cri-o v1.15 you can set conmon_cgroup = "system.slice" in the crio.runtime section of /etc/crio/crio.conf. On OpenShift Container Platform 4.x that can be done by following the documentation here:
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.2/html/architecture/architecture-rhcos

For OpenShift Container Platform 3.x you can edit /etc/crio/crio.conf directly on the worker node if using cri-o on that version. Cri-o is not the default container engine on that version, Docker is.

Comment 18 Sam Fowler 2019-12-04 23:28:08 UTC
External References:

https://capsule8.com/blog/oomypod-nothin-to-cri-o-bout/


Note You need to log in before you can comment on or make changes to this bug.