|
CrowdStrike security researchers
discovered a high severity vulnerability, dubbed “cr8escape,” in the
Kubernetes container engine CRI-O – an open source, community-driven
container engine. Each Kubernetes node includes a container runtime such as
CRI-O. Among other tasks, the container runtime allows containerized apps
to safely share each node’s underlying Linux kernel and other resources.
The flaw, tracked as CVE-2022-0811 (CVSS v3 8.8), exists due to
the addition of sysctl support in version 1.19 used to configure kernel
parameters at runtime. Researchers determined that this flaw will now
“blindly set any kernel parameters it is passed without validation, meaning
that anyone who can deploy a pod on a cluster using the CRI-O runtime can
abuse the kernel.core_pattern parameter to achieve
container escape and arbitrary code execution as root on any node in the
cluster.” Malicious threat actors may be able to exploit the vulnerability
in the components of the Kubernetes architecture, such as the control
plane, worker nodes, or containerized applications, to exfiltrate data and
move laterally across pods. The potential impact of this flaw is widespread
due to the number of platforms that use CRI-O, such as OpenShift and Oracle
Container Engine for Kubernetes. The vulnerability has been resolved and researchers urge users to patch immediately.
|