Cool. We don't ship Kata yet, but we have a component in Bugzilla. Will the
Red Hat ProdSec team create a BZ to make sure it gets fixed downstream?
Karen
On Thu, Oct 15, 2020, 6:05 AM Christophe de Dinechin <
<email address hidden>> wrote:
> Known as CVE-2020-27151.
>
> ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-27151
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1878234
>
> Title:
> Some kata-runtime annotations can execute arbitrary code
>
> Status in Kata Containers:
> New
>
> Bug description:
> ================================
> This issue is being treated as a potential security risk under embargo.
> Please do not make any public mention of embargoed (private) security
> vulnerabilities before their coordinated publication by the Kata
> Containers Vulnerability Management Team in the form of an official
> Kata Containers Security Advisory. This includes discussion of the bug
> or associated fixes in public forums such as mailing lists, code review
> systems and bug trackers. Please also avoid private disclosure to other
> individuals not already approved for access to this information, and
> provide this same reminder to those who are made aware of the issue
> prior to publication. All discussion should remain confined to this
> private bug report, and any proposed fixes should be added to the bug
> as attachments.
> ================================
>
> A few of the kata-runtime annotations can be used to execute arbitrary
> pre-existing binaries on the host.
>
> For example, "virtio_fs_daemon" in combination with
> "virtio_fs_extra_args" makes it possible to invoke a host binary with
> arbitrary args.
>
> The hypervisor.path and hypervisor.jailer_path annotations could also
> be used the same way.
>
> Suggestion for fix: add valid annotation values to the configuration
> file that lists the acceptable values for such annotations, with a
> suitable default value of "empty".
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/katacontainers.io/+bug/1878234/+subscriptions
>
>
Cool. We don't ship Kata yet, but we have a component in Bugzilla. Will the
Red Hat ProdSec team create a BZ to make sure it gets fixed downstream?
Karen
On Thu, Oct 15, 2020, 6:05 AM Christophe de Dinechin <
<email address hidden>> wrote:
> Known as CVE-2020-27151. /cve.mitre. org/cgi- bin/cvename. cgi?name= 2020-27151 /bugs.launchpad .net/bugs/ 1878234 ======= ======= ======= ==== ======= ======= ======= ==== fs_extra_ args" makes it possible to invoke a host binary with jailer_ path annotations could also /bugs.launchpad .net/katacontai ners.io/ +bug/1878234/ +subscriptions
>
> ** CVE added: https:/
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https:/
>
> Title:
> Some kata-runtime annotations can execute arbitrary code
>
> Status in Kata Containers:
> New
>
> Bug description:
> =======
> This issue is being treated as a potential security risk under embargo.
> Please do not make any public mention of embargoed (private) security
> vulnerabilities before their coordinated publication by the Kata
> Containers Vulnerability Management Team in the form of an official
> Kata Containers Security Advisory. This includes discussion of the bug
> or associated fixes in public forums such as mailing lists, code review
> systems and bug trackers. Please also avoid private disclosure to other
> individuals not already approved for access to this information, and
> provide this same reminder to those who are made aware of the issue
> prior to publication. All discussion should remain confined to this
> private bug report, and any proposed fixes should be added to the bug
> as attachments.
> =======
>
> A few of the kata-runtime annotations can be used to execute arbitrary
> pre-existing binaries on the host.
>
> For example, "virtio_fs_daemon" in combination with
> "virtio_
> arbitrary args.
>
> The hypervisor.path and hypervisor.
> be used the same way.
>
> Suggestion for fix: add valid annotation values to the configuration
> file that lists the acceptable values for such annotations, with a
> suitable default value of "empty".
>
> To manage notifications about this bug go to:
> https:/
>
>