CVE-2023-6476

MEDIUM6.5EPSS 0.30%

CRI-O's pods can break out of resource confinement on cgroupv2

Published: 1/10/2024Modified: 6/28/2024

Also known as:GHSA-p4rx-7wvg-fwrcGO-2024-2458

Description

### Impact _What kind of vulnerability is it? Who is impacted?_ All versions of CRI-O running on cgroupv2 nodes. Unchecked access to an experimental annotation allows a container to be unconfined. Back in 2021, [support was added](https://github.com/cri-o/cri-o/pull/4479) to support an experimental annotation that allows a user to request special resources in cgroupv2. It was supposed to be gated by an experimental annotation: `io.kubernetes.cri-o.UnifiedCgroup`, which was supposed to be filtered from the [list of allowed annotations](https://github.com/cri-o/cri-o/blob/main/pkg/config/workloads.go#L103-L107) . However, there is a bug in this code which allows any user to specify this annotation, regardless of whether it's enabled on the node. The consequences of this are a pod can specify any amount of memory/cpu and get it, circumventing the kubernetes scheduler, and potentially be able to DOS a node. ### Patches _Has the problem been patched? What versions should users upgrade to?_ 1.29.1, 1.28.3, 1.27.3 ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ use cgroupv1 ### References _Are there any links users can visit to find out more?_

Affected packages (2)

Go/github.com/cri-o/cri-o>= 1.29.0, < 1.29.1
Go/github.com/cri-o/cri-ofrom 0, < 1.27.3, >= 1.28.0, < 1.28.3, >= 1.29.0, < 1.29.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Description

Affected packages (2)

CVSS scores

References (10)