First Last Prev Next    This bug is not in your last search results.
Bug 1172090 - (CVE-2020-2025) VUL-0: CVE-2020-2025: katacontainers: a malicious guest can overwrite the image file to gain control of all subsequent guest VMs
(CVE-2020-2025)
VUL-0: CVE-2020-2025: katacontainers: a malicious guest can overwrite the ima...
Status: RESOLVED INVALID
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security
Current
Other Other
: P3 - Medium : Major (vote)
: Current
Assigned To: Ralf Haferkamp
Security Team bot
https://smash.suse.de/issue/260026/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-05-26 09:11 UTC by Alexandros Toptsoglou
Modified: 2020-05-28 16:05 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2020-05-26 09:11:31 UTC 
CVE-2020-2025

Kata Containers before 1.11.0 on Cloud Hypervisor persists guest filesystem
changes to the underlying image file on the host. A malicious guest can
overwrite the image file to gain control of all subsequent guest VMs. Since Kata
Containers uses the same VM image file with all VMMs, this issue may also affect
QEMU and Firecracker based guests.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-2025
https://github.com/kata-containers/runtime/pull/2487
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2025
Comment 1 Sascha Grunert 2020-05-26 11:08:55 UTC 
Hey Ralf, do you wanna take care of this? :)
Comment 2 Ralf Haferkamp 2020-05-28 16:05:43 UTC 
This bug is only relevant when using "cloud-hypervisor". Currently we don't ship that with opensuse. Neither are our katacontainers packages enabled to be used with cloud-hypervisor.

Note: I'll update our packages to 1.11.0 anyways in order to address: bug#1172092
First Last Prev Next    This bug is not in your last search results.