Bug 1195800 - (CVE-2022-0532) VUL-0: CVE-2022-0532: cri-o: pod with access to 'hostIPC' and 'hostNetwork' kernel namespace allows sysctl from the list of safe sysctls to be applied to the host
(CVE-2022-0532)
VUL-0: CVE-2022-0532: cri-o: pod with access to 'hostIPC' and 'hostNetwork' k...
Status: RESOLVED WONTFIX
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Michal Jura
Security Team bot
https://smash.suse.de/issue/322964/
CVSSv3.1:SUSE:CVE-2022-0532:4.9:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-02-10 17:04 UTC by Carlos López
Modified: 2022-05-11 11:24 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2022-02-10 17:04:09 UTC
rh#2051730

It was found that if a user can create a pod with a `hostIPC` and `hostNetwork` kernel namespace and is able to specify a sysctl from the list of "safe" sysctls specified for the cluster (by default, these are specified here
<https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/#enabling-unsafe-sysctls>),
then the sysctls will be applied to the host.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2051730
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0532
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0532
https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/#enabling-unsafe-sysctls
Comment 1 Carlos López 2022-02-10 17:04:48 UTC
Affected:
 - SUSE:SLE-15-SP1:Update:Products:CASP40:Update
 - openSUSE:Factory
Comment 2 Carlos López 2022-02-10 17:05:28 UTC
Upstream PR:
https://github.com/cri-o/cri-o/pull/5610
Comment 4 Michal Jura 2022-02-11 09:59:02 UTC
I am veryfing this issue
Comment 7 Klaus Kämpf 2022-02-11 10:39:13 UTC
This has a 4.9 score, which is below the 8.0 threshold set for CaaSP.

-> WONTFIX (for CaaSP)

Might still be valid for Factory, though.