Описание
There's a vulnerability in the CRI-O application where when container is launched with securityContext.runAsUser specifying a non-existent user, CRI-O attempts to create the user, reading the container's entire /etc/passwd file into memory. If this file is excessively large, it can cause the a high memory consumption leading applications to be killed due to out-of-memory. As a result a denial-of-service can be achieved, possibly disrupting other pods and services running in the same host.
Отчет
This vulnerability was rated as Moderate by the Red Hat's Product Security team as it requires the attacker to own an account with minimal privileges to create pods using the CRI-O utility.
Меры по смягчению последствий
As for now there's no available mitigation for this flaw.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat OpenShift Container Platform 4 | cri-o | Fix deferred | ||
| Red Hat OpenShift Container Platform 4 | rhcos | Fix deferred |
Показывать по
Дополнительная информация
Статус:
5.7 Medium
CVSS3
Связанные уязвимости
There's a vulnerability in the CRI-O application where when container is launched with securityContext.runAsUser specifying a non-existent user, CRI-O attempts to create the user, reading the container's entire /etc/passwd file into memory. If this file is excessively large, it can cause the a high memory consumption leading applications to be killed due to out-of-memory. As a result a denial-of-service can be achieved, possibly disrupting other pods and services running in the same host.
There's a vulnerability in the CRI-O application where when container ...
CRI-O has Potential High Memory Consumption from File Read
5.7 Medium
CVSS3