What kind of vulnerability is it? Who is impacted?
All versions of CRI-O running on cgroupv2 nodes.
Unchecked access to an experimental annotation allows a container to be unconfined. Back in 2021, support was added to support an experimental annotation that allows a user to request special resources in cgroupv2. It was supposed to be gated by an experimental annotation: io.kubernetes.cri-o.UnifiedCgroup
, which was supposed to be filtered from the list of allowed annotations . However, there is a bug in this code which allows any user to specify this annotation, regardless of whether it's enabled on the node. The consequences of this are a pod can specify any amount of memory/cpu and get it, circumventing the kubernetes scheduler, and potentially be able to DOS a node.
Has the problem been patched? What versions should users upgrade to? 1.29.1, 1.28.3, 1.27.3
Is there a way for users to fix or remediate the vulnerability without upgrading? use cgroupv1
Are there any links users can visit to find out more?
{ "nvd_published_at": "2024-01-09T22:15:43Z", "cwe_ids": [ "CWE-400", "CWE-770" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-01-10T15:27:45Z" }