2020-05-12 15:51:33 |
Christophe de Dinechin |
bug |
|
|
added bug |
2020-05-14 15:18:37 |
Christophe de Dinechin |
bug |
|
|
added subscriber Dr. David Alan Gilbert |
2020-05-14 15:21:20 |
Christophe de Dinechin |
bug |
|
|
added subscriber ERNST Eric |
2020-05-14 15:25:30 |
Christophe de Dinechin |
bug |
|
|
added subscriber Wang Xu |
2020-05-14 15:29:06 |
Christophe de Dinechin |
bug |
|
|
added subscriber Peng Tao |
2020-05-14 15:30:33 |
Christophe de Dinechin |
bug |
|
|
added subscriber Julio Montes |
2020-05-14 15:33:27 |
Christophe de Dinechin |
bug |
|
|
added subscriber fidencio |
2020-05-14 18:25:04 |
Christophe de Dinechin |
attachment added |
|
Patches that only addresses the VirtIOFS case - It looks like the hypervisor is not https://bugs.launchpad.net/katacontainers.io/+bug/1878234/+attachment/5371684/+files/patches.tgz |
|
2020-05-15 14:25:31 |
Christophe de Dinechin |
bug |
|
|
added subscriber Archana Shinde |
2020-05-15 17:43:35 |
Christophe de Dinechin |
attachment added |
|
Patch arbitrary host execution vulnerability in kata runtime https://bugs.launchpad.net/katacontainers.io/+bug/1878234/+attachment/5372233/+files/host-execution-vulnerability.patch |
|
2020-05-18 06:36:46 |
Christophe de Dinechin |
bug |
|
|
added subscriber Karen Noel |
2020-05-18 07:21:13 |
Peng Tao |
description |
A few of the kata-runtime annotations can be used to execute arbitrary pre-existing binaries on the host.
For example, "virtio_fs_daemon" in combination with "virtio_fs_extra_args" makes it possible to invoke a host binary with arbitrary args.
The hypervisor.path and hypervisor.jailer_path annotations could also be used the same way.
Suggestion for fix: add valid annotation values to the configuration file that lists the acceptable values for such annotations, with a suitable default value of "empty". |
A few of the kata-runtime annotations can be used to execute arbitrary pre-existing binaries on the host.
For example, "virtio_fs_daemon" in combination with "virtio_fs_extra_args" makes it possible to invoke a host binary with arbitrary args.
The hypervisor.path and hypervisor.jailer_path annotations could also be used the same way.
Suggestion for fix: add valid annotation values to the configuration file that lists the acceptable values for such annotations, with a suitable default value of "empty".
========
This issue is being treated as a potential security risk under embargo.
Please do not make any public mention of embargoed (private) security
vulnerabilities before their coordinated publication by the Kata
Containers Vulnerability Management Team in the form of an official
Kata Containers Security Advisory. This includes discussion of the bug
or associated fixes in public forums such as mailing lists, code review
systems and bug trackers. Please also avoid private disclosure to other
individuals not already approved for access to this information, and
provide this same reminder to those who are made aware of the issue
prior to publication. All discussion should remain confined to this
private bug report, and any proposed fixes should be added to the bug
as attachments. |
|
2020-05-18 07:21:46 |
Peng Tao |
description |
A few of the kata-runtime annotations can be used to execute arbitrary pre-existing binaries on the host.
For example, "virtio_fs_daemon" in combination with "virtio_fs_extra_args" makes it possible to invoke a host binary with arbitrary args.
The hypervisor.path and hypervisor.jailer_path annotations could also be used the same way.
Suggestion for fix: add valid annotation values to the configuration file that lists the acceptable values for such annotations, with a suitable default value of "empty".
========
This issue is being treated as a potential security risk under embargo.
Please do not make any public mention of embargoed (private) security
vulnerabilities before their coordinated publication by the Kata
Containers Vulnerability Management Team in the form of an official
Kata Containers Security Advisory. This includes discussion of the bug
or associated fixes in public forums such as mailing lists, code review
systems and bug trackers. Please also avoid private disclosure to other
individuals not already approved for access to this information, and
provide this same reminder to those who are made aware of the issue
prior to publication. All discussion should remain confined to this
private bug report, and any proposed fixes should be added to the bug
as attachments. |
================================
This issue is being treated as a potential security risk under embargo.
Please do not make any public mention of embargoed (private) security
vulnerabilities before their coordinated publication by the Kata
Containers Vulnerability Management Team in the form of an official
Kata Containers Security Advisory. This includes discussion of the bug
or associated fixes in public forums such as mailing lists, code review
systems and bug trackers. Please also avoid private disclosure to other
individuals not already approved for access to this information, and
provide this same reminder to those who are made aware of the issue
prior to publication. All discussion should remain confined to this
private bug report, and any proposed fixes should be added to the bug
as attachments.
================================
A few of the kata-runtime annotations can be used to execute arbitrary pre-existing binaries on the host.
For example, "virtio_fs_daemon" in combination with "virtio_fs_extra_args" makes it possible to invoke a host binary with arbitrary args.
The hypervisor.path and hypervisor.jailer_path annotations could also be used the same way.
Suggestion for fix: add valid annotation values to the configuration file that lists the acceptable values for such annotations, with a suitable default value of "empty". |
|
2020-05-18 07:26:02 |
Peng Tao |
katacontainers.io: importance |
Undecided |
Critical |
|
2020-05-18 07:37:02 |
Peng Tao |
attachment added |
|
draft-KCSA https://bugs.launchpad.net/katacontainers.io/+bug/1878234/+attachment/5373236/+files/KCSA-2020-0001-draft |
|
2020-05-18 10:10:36 |
Peng Tao |
attachment added |
|
0001-config-add-an-option-to-enable-config-via-annotation.patch https://bugs.launchpad.net/katacontainers.io/+bug/1878234/+attachment/5373350/+files/0001-config-add-an-option-to-enable-config-via-annotation.patch |
|
2020-05-18 10:21:36 |
Peng Tao |
attachment removed |
0001-config-add-an-option-to-enable-config-via-annotation.patch https://bugs.launchpad.net/katacontainers.io/+bug/1878234/+attachment/5373350/+files/0001-config-add-an-option-to-enable-config-via-annotation.patch |
|
|
2020-05-19 13:42:37 |
Christophe de Dinechin |
removed subscriber ERNST Eric |
|
|
|
2020-05-19 17:49:49 |
Christophe de Dinechin |
attachment added |
|
Series of patches to control annotations https://bugs.launchpad.net/katacontainers.io/+bug/1878234/+attachment/5374221/+files/host-execution-vulnerability-v3.tar |
|
2020-05-19 17:49:53 |
Christophe de Dinechin |
attachment added |
|
Series of patches to control annotations https://bugs.launchpad.net/katacontainers.io/+bug/1878234/+attachment/5374222/+files/host-execution-vulnerability-v3.tar |
|
2020-10-15 09:09:31 |
Christophe de Dinechin |
cve linked |
|
2020-27151 |
|
2020-11-20 16:19:38 |
Archana Shinde |
katacontainers.io: status |
New |
Confirmed |
|
2020-11-20 16:19:44 |
Archana Shinde |
katacontainers.io: status |
Confirmed |
Fix Committed |
|
2020-12-03 19:32:37 |
Archana Shinde |
katacontainers.io: status |
Fix Committed |
Fix Released |
|
2020-12-03 19:38:45 |
Archana Shinde |
information type |
Private Security |
Public Security |
|