2124758 – (CVE-2022-38060) CVE-2022-38060 openstack/kolla: sudo privilege escalation vulnerability

Bug 2124758 (CVE-2022-38060) - CVE-2022-38060 openstack/kolla: sudo privilege escalation vulnerability

Summary: CVE-2022-38060 openstack/kolla: sudo privilege escalation vulnerability

Keywords:
Status:	NEW
Alias:	CVE-2022-38060
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2124759 2227050 2227051 2227052 2227053 2227054 2249997
Blocks:	2124484
TreeView+	depends on / blocked

Reported:	2022-09-07 05:15 UTC by Avinash Hanwate
Modified:	2024-01-16 14:36 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	---
Doc Text:	A privilege escalation vulnerability exists in the sudo functionality of OpenStack Kolla. A misconfiguration in /etc/sudoers within a container can lead to increased privileges.
Clone Of:
Environment:
Last Closed:	2022-11-25 02:25:45 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2024:0191	0	None	None	None	2024-01-16 14:36:21 UTC
Red Hat Product Errata	RHSA-2024:0216	0	None	None	None	2024-01-16 14:33:04 UTC

Description Avinash Hanwate 2022-09-07 05:15:52 UTC

A privilege escalation vulnerability exists in the sudo functionality of OpenStack Kolla git master 05194e7618. A misconfiguration in /etc/sudoers within a container can lead to increased privileges.

https://bugs.launchpad.net/bugs/1985784

Comment 1 Avinash Hanwate 2022-09-07 05:16:15 UTC

Created openstack-kolla tracking bugs for this issue:

Affects: openstack-rdo [bug 2124759]

Comment 2 Product Security DevOps Team 2022-11-25 02:25:43 UTC

This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.

Comment 3 Avinash Hanwate 2023-08-28 12:14:40 UTC

*** Bug 2227049 has been marked as a duplicate of this bug. ***

Comment 5 errata-xmlrpc 2024-01-16 14:33:02 UTC

This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.1

Via RHSA-2024:0216 https://access.redhat.com/errata/RHSA-2024:0216

Comment 6 errata-xmlrpc 2024-01-16 14:36:19 UTC

This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.1

Via RHSA-2024:0191 https://access.redhat.com/errata/RHSA-2024:0191

Note You need to log in before you can comment on or make changes to this bug.