Описание
Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. In versions prior to 3.27.0, an issue in Kata with Cloud Hypervisor allows a user of the container to modify the file system used by the Guest micro VM ultimately achieving arbitrary code execution as root in said VM. The current understanding is this doesn’t impact the security of the Host or of other containers / VMs running on that Host (note that arm64 QEMU lacks NVDIMM read-only support: It is believed that until the upstream QEMU gains this capability, a guest write could reach the image file). Version 3.27.0 patches the issue.
A flaw was found in Kata Containers. A user of a container can exploit this vulnerability by modifying the file system used by the Guest micro Virtual Machine (VM). This allows the attacker to achieve arbitrary code execution as root within the compromised Guest VM. This issue does not impact the security of the host or other containers/VMs running on the host.
Отчет
This risk posed by this flaw is limited to the Guest VM provided to each Kata Containers container which exists as a second layer of isolation. This flaw has been rated Important because it requires an attacker to have local access to a container in order to execute arbitrary code.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Confidential Compute Attestation | openshift-sandboxed-containers/osc-monitor-rhel9 | Affected | ||
| Red Hat OpenShift Container Platform 4 | kata-containers | Affected |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
9.3 Critical
CVSS3
Связанные уязвимости
Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. In versions prior to 3.27.0, an issue in Kata with Cloud Hypervisor allows a user of the container to modify the file system used by the Guest micro VM ultimately achieving arbitrary code execution as root in said VM. The current understanding is this doesn’t impact the security of the Host or of other containers / VMs running on that Host (note that arm64 QEMU lacks NVDIMM read-only support: It is believed that until the upstream QEMU gains this capability, a guest write could reach the image file). Version 3.27.0 patches the issue.
9.3 Critical
CVSS3