Описание
A vulnerability was found in CRI-O, where it can be requested to take a checkpoint archive of a container and later be asked to restore it. When it does that restoration, it attempts to restore the mounts from the restore archive instead of the pod request. As a result, the validations run on the pod spec, verifying that the pod has access to the mounts it specifies are not applicable to a restored container. This flaw allows a malicious user to trick CRI-O into restoring a pod that doesn't have access to host mounts. The user needs access to the kubelet or cri-o socket to call the restore endpoint and trigger the restore.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 8 | container-tools:rhel8/conmon | Not affected | ||
| Red Hat Enterprise Linux 8 | container-tools:rhel8/podman | Will not fix | ||
| Red Hat Enterprise Linux 9 | conmon | Not affected | ||
| Red Hat OpenShift Container Platform 3.11 | cri-o | Out of support scope | ||
| Red Hat OpenShift Container Platform 4 | conmon | Not affected | ||
| Red Hat OpenShift Container Platform 4 | rhcos | Affected | ||
| Red Hat OpenShift Container Platform 4.15 | cri-o | Fixed | RHSA-2025:0648 | 29.01.2025 |
| Red Hat OpenShift Container Platform 4.16 | cri-o | Fixed | RHBA-2024:10826 | 12.12.2024 |
| Red Hat OpenShift Container Platform 4.16 | rhcos-416.94.202506251808 | Fixed | RHSA-2025:9765 | 02.07.2025 |
| Red Hat OpenShift Container Platform 4.17 | rhcos-417.94.202503241418 | Fixed | RHSA-2025:3297 | 03.04.2025 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.4 High
CVSS3
Связанные уязвимости
A vulnerability was found in CRI-O, where it can be requested to take a checkpoint archive of a container and later be asked to restore it. When it does that restoration, it attempts to restore the mounts from the restore archive instead of the pod request. As a result, the validations run on the pod spec, verifying that the pod has access to the mounts it specifies are not applicable to a restored container. This flaw allows a malicious user to trick CRI-O into restoring a pod that doesn't have access to host mounts. The user needs access to the kubelet or cri-o socket to call the restore endpoint and trigger the restore.
A vulnerability was found in CRI-O, where it can be requested to take a checkpoint archive of a container and later be asked to restore it. When it does that restoration, it attempts to restore the mounts from the restore archive instead of the pod request. As a result, the validations run on the pod spec, verifying that the pod has access to the mounts it specifies are not applicable to a restored container. This flaw allows a malicious user to trick CRI-O into restoring a pod that doesn't have access to host mounts. The user needs access to the kubelet or cri-o socket to call the restore endpoint and trigger the restore.
A vulnerability was found in CRI-O, where it can be requested to take ...
CRI-O: Maliciously structured checkpoint file can gain arbitrary node access
EPSS
7.4 High
CVSS3