Thursday, March 17, 2022

High severity vulnerability in the Kubernetes container

CrowdStrike security researchers discovered a high severity vulnerability, dubbed “cr8escape,” in the Kubernetes container engine CRI-O – an open source, community-driven container engine. Each Kubernetes node includes a container runtime such as CRI-O. Among other tasks, the container runtime allows containerized apps to safely share each node's underlying Linux kernel and other resources. The flaw, tracked as CVE-2022-0811  (CVSS v3 8.8), exists due to the addition of sysctl support in version 1.19 used to configure kernel parameters at runtime. Researchers determined that this flaw will now “blindly set any kernel parameters it is passed without validation, meaning that anyone who can deploy a pod on a cluster using the CRI-O runtime can abuse the kernel.core_pattern  parameter to achieve container escape and arbitrary code execution as root on any node in the cluster.” Malicious threat actors may be able to exploit the vulnerability in the components of the Kubernetes architecture, such as the control plane, worker nodes, or containerized applications, to exfiltrate data and move laterally across pods. The potential impact of this flaw is widespread due to the number of platforms that use CRI-O, such as OpenShift and Oracle Container Engine for Kubernetes. The vulnerability has been resolved and researchers urge users to patch immediately.