Bug 1157291 - (CVE-2019-14891) VUL-0: CVE-2019-14891: cri-o: pods didn't provide sufficient isolation between the workload and infra containers, allowing an attacker to gain access to the host network
(CVE-2019-14891)
VUL-0: CVE-2019-14891: cri-o: pods didn't provide sufficient isolation betwee...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Sascha Grunert
Security Team bot
https://smash.suse.de/issue/247621/
CVSSv2:NVD:CVE-2019-14891:6.0:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-11-20 10:05 UTC by Wolfgang Frisch
Modified: 2020-05-12 18:44 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Wolfgang Frisch 2019-11-20 10:06:30 UTC
CVE-2019-14891

Cri-o pods didn't provide sufficient isolation between the workload and infra containers such that when a workload consumed a large amount of memory, the kernel accidently killed the infra container's conmon process. An attacker would use the flaw to get host network access on an Kubernetes worker node.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1772280
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14891
Comment 2 Wolfgang Frisch 2019-11-20 10:08:42 UTC
>Mitigation:
>Set conmon_cgroup = "system.slice" in the crio.runtime section of /etc/crio/crio.conf. 

Unfortunately there is no further useful information on this issue so far.
Comment 5 Sascha Grunert 2020-03-04 12:00:02 UTC
(In reply to Alexandros Toptsoglou from comment #4)
> (In reply to Sascha Grunert from comment #3)
> > (In reply to Wolfgang Frisch from comment #2)
> > > >Mitigation:
> > > >Set conmon_cgroup = "system.slice" in the crio.runtime section of /etc/crio/crio.conf. 
> > > 
> > > Unfortunately there is no further useful information on this issue so far.
> > 
> > This is correct and we should go for this easy fix in CaaSP. Factory already
> > has this configuration option applied.
> 
> Was this ever applied?

Yes, those configuration options should now be the default for CaaSP as well.
Comment 6 Alexandros Toptsoglou 2020-03-04 13:28:41 UTC
Closing all done