Bug 2152703 (CVE-2022-4318) - CVE-2022-4318 cri-o: /etc/passwd tampering privesc
Summary: CVE-2022-4318 cri-o: /etc/passwd tampering privesc
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-4318
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2155653 2152788 2155654 2155693 2155694 2155695 2155696 2155697 2155698 2155699 2155700
Blocks: 2142216
TreeView+ depends on / blocked
 
Reported: 2022-12-12 18:23 UTC by Sage McTaggart
Modified: 2023-11-15 22:07 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in cri-o. This issue allows the addition of arbitrary lines into /etc/passwd by use of a specially crafted environment variable.
Clone Of:
Environment:
Last Closed: 2023-03-07 19:11:40 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:1033 0 None None None 2023-03-07 10:47:16 UTC
Red Hat Product Errata RHSA-2023:1503 0 None None None 2023-04-04 11:42:43 UTC

Description Sage McTaggart 2022-12-12 18:23:38 UTC
It is possible to craft an environment variable with newlines to add entries to /etc/passwd. Using the default SCC prevents the privesc. A malicious user could use a non-default SCC (anyuid, for example) that allows the process to become root on the host.

Comment 5 Anten Skrabec 2022-12-21 18:24:30 UTC
Created cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2155654]


Created cri-o:1.21/cri-o tracking bugs for this issue:

Affects: epel-8 [bug 2155653]

Comment 6 Anten Skrabec 2022-12-21 22:57:53 UTC
Created cri-o:1.20/cri-o tracking bugs for this issue:

Affects: fedora-36 [bug 2155693]


Created cri-o:1.21/cri-o tracking bugs for this issue:

Affects: fedora-36 [bug 2155694]


Created cri-o:1.22/cri-o tracking bugs for this issue:

Affects: fedora-36 [bug 2155695]


Created cri-o:1.23/cri-o tracking bugs for this issue:

Affects: fedora-36 [bug 2155696]


Created cri-o:1.24/cri-o tracking bugs for this issue:

Affects: fedora-36 [bug 2155697]
Affects: fedora-37 [bug 2155699]


Created cri-o:1.25/cri-o tracking bugs for this issue:

Affects: fedora-36 [bug 2155698]
Affects: fedora-37 [bug 2155700]

Comment 7 errata-xmlrpc 2023-03-07 10:47:15 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2023:1033 https://access.redhat.com/errata/RHSA-2023:1033

Comment 8 Product Security DevOps Team 2023-03-07 19:11:37 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-4318

Comment 11 errata-xmlrpc 2023-04-04 11:42:41 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2023:1503 https://access.redhat.com/errata/RHSA-2023:1503


Note You need to log in before you can comment on or make changes to this bug.