A CRI-O vulnerability in Kubernetes could allow an attacker to take control of affected Kubernetes environment, as well as other software or environments that use CRI-O runtime containers.
CRI-O is a derivative of the Container Runtime Interface (CRI) and the Open Container Initiative (OCI). CRI-O is focused on OCI-compliant runtimes and container images, and is a lightweight alternative to using Docker as the runtime for Kubernetes.
“A flaw introduced in CRI-O version 1.19 which an attacker can use to bypass the safeguards and set arbitrary kernel parameters on the host,” the CRI-O team wrote on GitHub.
“As a result, anyone with rights to deploy a pod on a Kubernetes cluster that uses the CRI-O runtime can abuse the ‘kernel.core_pattern’ kernel parameter to achieve container escape and arbitrary code execution as root on any node in the cluster.”
All versions greater that 1.19.0 are affected and should be patched with versions 1.19.6, 1.20.7, 1.21.6, 1.22.3, 1.23.2, or 1.24.0.
Moreover, RedHat also issued a security advisory and patches for the vulnerability CVE-2022-0811.