, alternative runtime to control insulated containers, Detected Critical Vulnerability ( CVE-2022-0811 ), allowing you to bypass isolation and execute your code on the side of the host system. In the case of using CRI-O instead of Docker for organizing the launch of containers running the KUBERNETES platform, an attacker can get control over any node in the KUBERNETES cluster. For the attack is enough rights to start your container in the KUBERNETES cluster.
Vulnerability is caused by the possibility of changing the SYSTL-parameter of the kernel “ kernel.core_pattern ” (” / PROC / SYS / KERNEL / CORE_PATTERN “), access to which is not blocked, despite the fact that it is not one of the safest parameters acting only in the namespace of the current container. Using this parameter, the container user can change the behavior of the Linux kernel in relation to the Core file processing on the host environment and organize the start of an arbitrary command with the root side on the host side, specifying the “| / bin / sh -c” command “command .
The problem is manifested from the release of CRI-O 1.19.0 and is eliminated in updates 1.19.6, 1.20.7, 1.21.6, 1.22.3, 1.23.2 and 1.24.0. From distributions The problem is manifested in products Red Hat OpenShift Container Platform and OpenSUSE / SUSE , in the repositories of which there is a CRI-O pack.