Bug 1094170 - (CVE-2018-1000400) VUL-0: CVE-2018-1000400: cri-o: capabilities are not dropped when switching to a non-root user
(CVE-2018-1000400)
VUL-0: CVE-2018-1000400: cri-o: capabilities are not dropped when switching t...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.0
Other Other
: P5 - None : Normal (vote)
: ---
Assigned To: Containers Team
Security Team bot
https://smash.suse.de/issue/206144/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-05-22 09:54 UTC by Karol Babioch
Modified: 2018-05-22 10:21 UTC (History)
12 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Karol Babioch 2018-05-22 09:54:31 UTC
rh#1578109

Kubernetes CRI-O version prior to 1.9 contains a Privilege Context Switching
Error (CWE-270) vulnerability in the handling of ambient capabilities that can
result in containers running with elevated privileges, allowing users abilities
they should not have. This attack appears to be exploitable via container
execution. This vulnerability appears to have been fixed in 1.9.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1578109
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000400
https://github.com/kubernetes-incubator/cri-o/pull/1558/files
Comment 1 Valentin Rothberg 2018-05-22 10:00:48 UTC
We are only offering CRI-O for Tumbleweed and Kubic, both in version 1.9 (and soon 1.10), so the CVE doesn't seem to affect us. In case I am missing something, feel free to re-open the bug.

Thanks a lot for reporting the bug!
Comment 4 Karol Babioch 2018-05-22 10:21:40 UTC
You are right, of course. I'm sorry I somehow misread the message and believed that 1.9 would be affected, too.