Bug 1212493 (CVE-2023-2431)

Summary: VUL-0: CVE-2023-2431: kubernetes1.24,kubernetes1.23: Bypass of seccomp profile enforcement
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Leroy <thomas.leroy>
Component: IncidentsAssignee: Priyanka Saggu <priyanka.saggu>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/369726/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-2431:3.4:(AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Thomas Leroy 2023-06-19 07:42:40 UTC 
CVE-2023-2431

A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement. Pods that use localhost type for seccomp profile but specify an empty profile field, are affected by this issue. In this scenario, this vulnerability allows the pod to run in unconfined (seccomp disabled) mode. This bug affects Kubelet.

References:
https://groups.google.com/g/kubernetes-security-announce/c/QHmx0HOQa10
https://github.com/kubernetes/kubernetes/issues/118690

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-2431
https://bugzilla.redhat.com/show_bug.cgi?id=2215555
https://www.cve.org/CVERecord?id=CVE-2023-2431
https://github.com/kubernetes/kubernetes/issues/118690
https://groups.google.com/g/kubernetes-security-announce/c/QHmx0HOQa10
Comment 1 Thomas Leroy 2023-06-19 07:46:33 UTC 
It appears that kubernetes1.2{3,4} has no official maintainer.
Priyanka, feel free to reassign if you find a better fit.

Affected:
- SUSE:SLE-15-SP5:Update/kubernetes1.23
- SUSE:SLE-15-SP5:Update/kubernetes1.24
Comment 2 Priyanka Saggu 2023-06-19 08:22:26 UTC 
Thanks for pointing, Thomas. I'll raise fix SRs.
Comment 5 Priyanka Saggu 2023-06-21 10:48:56 UTC 
Both the following SR are accepted now.

SLE-15-SP5 / kubernetes1.24 - https://build.suse.de/request/show/301662 

SLE-15-SP5 / kubernetes1.23 - https://build.suse.de/request/show/301703
Comment 6 Maintenance Automation 2023-06-28 16:30:19 UTC 
SUSE-SU-2023:2691-1: An update that solves one vulnerability can now be installed.

Category: security (low)
Bug References: 1212493
CVE References: CVE-2023-2431
Sources used:
openSUSE Leap 15.5 (src): kubernetes1.23-1.23.17-150500.3.6.1
Containers Module 15-SP5 (src): kubernetes1.23-1.23.17-150500.3.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.