CVE-2020-14316

Опубликовано: 23 июн. 2020

Источник: redhat

CVSS3: 9.9

Описание

A flaw was found in kubevirt 0.29 and earlier. Virtual Machine Instances (VMIs) can be used to gain access to the host's filesystem. Successful exploitation allows an attacker to assume the privileges of the VM process on the host system. In worst-case scenarios an attacker can read and modify any file on the system where the VMI is running. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Отчет

OpenShift Virtualization 1.4 and 2.3 use affected version of kubevirt in virt-launcher container, however impact is rated Moderate as VMIs are running as non-root and thus have limited access to the host's filesystem.

Меры по смягчению последствий

This flaw can be partially or completely mitigated by leveraging existing mechanisms to restrict the VMI process such as running as non-root and using SELinux and sVirt whenever possible.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat OpenShift Virtualization 1	virt-launcher	Will not fix
RHEL-8-CNV-2.4	container-native-virtualization/kubevirt-cpu-model-nfd-plugin	Fixed	RHSA-2020:3194	28.07.2020
RHEL-8-CNV-2.4	container-native-virtualization/kubevirt-cpu-node-labeller	Fixed	RHSA-2020:3194	28.07.2020
RHEL-8-CNV-2.4	container-native-virtualization/kubevirt-kvm-info-nfd-plugin	Fixed	RHSA-2020:3194	28.07.2020
RHEL-8-CNV-2.4	container-native-virtualization/vm-import-controller-rhel8	Fixed	RHSA-2020:3194	28.07.2020

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important

Дефект:

CWE-284

https://bugzilla.redhat.com/show_bug.cgi?id=1848951kubevirt: VMIs can be used to access host files

9.9 Critical

CVSS3

Связанные уязвимости

CVE-2020-14316

CVSS3: 9.9

nvd

больше 5 лет назад

GHSA-828r-r2c8-rfw3

CVSS3: 9.9

github

почти 2 года назад

Privilege Escalation in kubevirt

9.9 Critical

CVSS3