Описание
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.11 of vm2. There are no known workarounds.
A flaw was found in the vm2 sandbox when running untrusted code, as the sandbox setup does not manage proper exception handling. This flaw allows an attacker to bypass the sandbox protections and gain remote code execution on the hypervisor host or the host which is running the sandbox.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/console-rhel8 | Affected | ||
| Multicluster Engine for Kubernetes | multicluster-engine-agent-service-container | Fixed | RHSA-2022:6422 | 12.09.2022 |
| Multicluster Engine for Kubernetes | multicluster-engine-apiserver-network-proxy-container | Fixed | RHSA-2022:6422 | 12.09.2022 |
| Multicluster Engine for Kubernetes | multicluster-engine-assisted-image-service-container | Fixed | RHSA-2022:6422 | 12.09.2022 |
| Multicluster Engine for Kubernetes | multicluster-engine-assisted-installer-agent-container | Fixed | RHSA-2022:6422 | 12.09.2022 |
| Multicluster Engine for Kubernetes | multicluster-engine-assisted-installer-container | Fixed | RHSA-2022:6422 | 12.09.2022 |
| Multicluster Engine for Kubernetes | multicluster-engine-assisted-installer-reporter-container | Fixed | RHSA-2022:6422 | 12.09.2022 |
| Multicluster Engine for Kubernetes | multicluster-engine-aws-encryption-provider-container | Fixed | RHSA-2022:6422 | 12.09.2022 |
| Multicluster Engine for Kubernetes | multicluster-engine-cluster-api-container | Fixed | RHSA-2022:6422 | 12.09.2022 |
| Multicluster Engine for Kubernetes | multicluster-engine-cluster-api-provider-agent-container | Fixed | RHSA-2022:6422 | 12.09.2022 |
Показывать по
Дополнительная информация
Статус:
EPSS
10 Critical
CVSS3
Связанные уязвимости
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.11 of vm2. There are no known workarounds.
vm2 vulnerable to Sandbox Escape resulting in Remote Code Execution on host
Уязвимость библиотеки vm2 пакетного менеджера NPM, позволяющая нарушителю выполнить произвольный код
EPSS
10 Critical
CVSS3