Bug ID 1094170
Summary VUL-0: CVE-2018-1000400: cri-o: capabilities are not dropped when switching to a non-root user
Classification openSUSE
Product openSUSE Distribution
Version Leap 15.0
Hardware Other
URL https://smash.suse.de/issue/206144/
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee containers-bugowner@suse.de
Reporter kbabioch@suse.com
QA Contact security-team@suse.de
CC asarai@suse.com, containers-bugowner@suse.de, dcassany@suse.com, fcastelli@suse.com, jmassaguerpla@suse.com, kmacinnes@suse.com, kukuk@suse.com, mjura@suse.com, mmeister@suse.com, rfernandezlopez@suse.com, vrothberg@suse.com
Found By Security Response Team
Blocker --- 

rh#1578109

Kubernetes CRI-O version prior to 1.9 contains a Privilege Context Switching
Error (CWE-270) vulnerability in the handling of ambient capabilities that can
result in containers running with elevated privileges, allowing users abilities
they should not have. This attack appears to be exploitable via container
execution. This vulnerability appears to have been fixed in 1.9.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1578109
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000400
https://github.com/kubernetes-incubator/cri-o/pull/1558/files

You are receiving this mail because: