Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2019-14891

Опубликовано: 07 нояб. 2019
Источник: redhat
CVSS3: 5
EPSS Низкий

Описание

A flaw was found in cri-o, as a result of all pod-related processes being placed in the same memory cgroup. This can result in container management (conmon) processes being killed if a workload process triggers an out-of-memory (OOM) condition for the cgroup. An attacker could abuse this flaw to get host network access on an cri-o host.

Меры по смягчению последствий

As of cri-o v1.15 you can set conmon_cgroup = "system.slice" in the crio.runtime section of /etc/crio/crio.conf. On OpenShift Container Platform 4.x that can be done by following the documentation here: https://access.redhat.com/documentation/en-us/openshift_container_platform/4.2/html/architecture/architecture-rhcos For OpenShift Container Platform 3.x you can edit /etc/crio/crio.conf directly on the worker node if using cri-o on that version. Cri-o is not the default container engine on that version, Docker is.

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-460
https://bugzilla.redhat.com/show_bug.cgi?id=1772280cri-o: infra container reparented to systemd following OOM Killer killing it's conmon

EPSS

Процентиль: 54%
0.00316
Низкий

5 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2019-14891

CVSS3: 5
ubuntu
около 6 лет назад

A flaw was found in cri-o, as a result of all pod-related processes being placed in the same memory cgroup. This can result in container management (conmon) processes being killed if a workload process triggers an out-of-memory (OOM) condition for the cgroup. An attacker could abuse this flaw to get host network access on an cri-o host.

nvd логотип

CVE-2019-14891

CVSS3: 5
nvd
около 6 лет назад

A flaw was found in cri-o, as a result of all pod-related processes being placed in the same memory cgroup. This can result in container management (conmon) processes being killed if a workload process triggers an out-of-memory (OOM) condition for the cgroup. An attacker could abuse this flaw to get host network access on an cri-o host.

debian логотип

CVE-2019-14891

CVSS3: 5
debian
около 6 лет назад

A flaw was found in cri-o, as a result of all pod-related processes be ...

github логотип

GHSA-7hwv-gxwq-2g5p

CVSS3: 5
github
больше 3 лет назад

A flaw was found in cri-o, as a result of all pod-related processes being placed in the same memory cgroup. This can result in container management (conmon) processes being killed if a workload process triggers an out-of-memory (OOM) condition for the cgroup. An attacker could abuse this flaw to get host network access on an cri-o host.

EPSS

Процентиль: 54%
0.00316
Низкий

5 Medium

CVSS3