1772280 – (CVE-2019-14891) CVE-2019-14891 cri-o: infra container reparented to systemd following OOM Killer killing it's conmon

Bug 1772280 (CVE-2019-14891) - CVE-2019-14891 cri-o: infra container reparented to systemd following OOM Killer killing it's conmon

Summary: CVE-2019-14891 cri-o: infra container reparented to systemd following OOM Kil...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2019-14891
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1774269 1774270 1774271 1774272 1774273
Blocks:	1770013
TreeView+	depends on / blocked

Reported:	2019-11-14 01:23 UTC by Jason Shepherd
Modified:	2023-03-24 16:01 UTC (History)
CC List:	17 users (show)
Fixed In Version:	cri-o-1.16.1
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in cri-o, as a result of all pod-related processes being placed in the same memory cgroup. This can result in container management (conmon) processes being killed if a workload process triggers an out-of-memory (OOM) condition for the cgroup. An attacker could abuse this flaw to get host network access on an cri-o host.
Clone Of:
Environment:
Last Closed:	2020-07-01 19:27:39 UTC

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2020:2776	0	None	None	None	2020-07-01 16:04:03 UTC
Red Hat Product Errata	RHSA-2020:2992	0	None	None	None	2020-07-27 18:49:28 UTC

Description Jason Shepherd 2019-11-14 01:23:39 UTC

Cri-o pods didn't provide sufficient isolation between the workload and infra containers such that when a workload consumed a large amount of memory, the kernel accidently killed the infra container's conmon process. An attacker would use the flaw to get host network access on an Kubernetes worker node.

Comment 8 Jason Shepherd 2019-11-19 06:35:39 UTC

Acknowledgments:

Name: Nick Freeman (Capsule8)

Comment 10 Jason Shepherd 2019-11-19 22:55:38 UTC

Created cri-o tracking bugs for this issue:

Affects: fedora-all [bug 1774273]

Comment 16 Jason Shepherd 2019-11-24 22:43:39 UTC

Mitigation:

As of cri-o v1.15 you can set conmon_cgroup = "system.slice" in the crio.runtime section of /etc/crio/crio.conf. On OpenShift Container Platform 4.x that can be done by following the documentation here:
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.2/html/architecture/architecture-rhcos

For OpenShift Container Platform 3.x you can edit /etc/crio/crio.conf directly on the worker node if using cri-o on that version. Cri-o is not the default container engine on that version, Docker is.

Comment 18 Sam Fowler 2019-12-04 23:28:08 UTC

External References:

https://capsule8.com/blog/oomypod-nothin-to-cri-o-bout/

Comment 19 errata-xmlrpc 2020-07-01 16:04:00 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.2

Via RHSA-2020:2776 https://access.redhat.com/errata/RHSA-2020:2776

Comment 20 Product Security DevOps Team 2020-07-01 19:27:39 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-14891

Comment 23 errata-xmlrpc 2020-07-27 18:49:26 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2020:2992 https://access.redhat.com/errata/RHSA-2020:2992

Note You need to log in before you can comment on or make changes to this bug.