Red Hat Openshift Container Platform
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Red Hat Openshift Container Platform.
Recent Red Hat Openshift Container Platform Security Advisories
Advisory | Title | Published |
---|---|---|
RHSA-2025:10271 | (RHSA-2025:10271) Moderate: OpenShift Container Platform 4.12.78 packages and security update | July 10, 2025 |
RHSA-2025:10270 | (RHSA-2025:10270) Moderate: OpenShift Container Platform 4.12.78 bug fix and security update | July 10, 2025 |
RHSA-2025:10295 | (RHSA-2025:10295) Important: OpenShift Container Platform 4.17.35 packages and security update | July 9, 2025 |
RHSA-2025:10294 | (RHSA-2025:10294) Important: OpenShift Container Platform 4.17.35 bug fix and security update | July 9, 2025 |
RHSA-2025:10291 | (RHSA-2025:10291) Moderate: OpenShift Container Platform 4.19.3 packages and security update | July 8, 2025 |
RHSA-2025:9759 | (RHSA-2025:9759) Important: OpenShift Container Platform 4.14.53 bug fix and security update | July 2, 2025 |
RHSA-2025:9761 | (RHSA-2025:9761) Important: OpenShift Container Platform 4.14.53 security and extras update | July 2, 2025 |
RHSA-2025:9766 | (RHSA-2025:9766) Important: OpenShift Container Platform 4.16.43 packages and security update | July 2, 2025 |
RHSA-2025:9726 | (RHSA-2025:9726) Important: OpenShift Container Platform 4.18.19 packages and security update | July 2, 2025 |
RHSA-2025:9725 | (RHSA-2025:9725) Moderate: OpenShift Container Platform 4.18.19 bug fix and security update | July 2, 2025 |
By the Year
In 2025 there have been 7 vulnerabilities in Red Hat Openshift Container Platform with an average score of 7.4 out of ten. Last year, in 2024 Openshift Container Platform had 15 security vulnerabilities published. Right now, Openshift Container Platform is on track to have less security vulnerabilities in 2025 than it did last year. However, the average CVE base score of the vulnerabilities in 2025 is greater by 0.35.
Year | Vulnerabilities | Average Score |
---|---|---|
2025 | 7 | 7.43 |
2024 | 15 | 7.08 |
2023 | 13 | 6.59 |
2022 | 20 | 6.63 |
2021 | 22 | 6.98 |
2020 | 30 | 7.25 |
2019 | 70 | 7.61 |
2018 | 37 | 7.69 |
It may take a day or so for new Openshift Container Platform vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Red Hat Openshift Container Platform Security Vulnerabilities
A vulnerability has been identified in the libarchive library, specifically within the archive_read_format_rar_seek_data() function
CVE-2025-5914
9.8 - Critical
- June 09, 2025
A vulnerability has been identified in the libarchive library, specifically within the archive_read_format_rar_seek_data() function. This flaw involves an integer overflow that can ultimately lead to a double-free condition. Exploiting a double-free vulnerability can result in memory corruption, enabling an attacker to execute arbitrary code or cause a denial-of-service condition.
Double-free
A flaw was found in grub2
CVE-2025-0678
7.8 - High
- March 03, 2025
A flaw was found in grub2. When reading data from a squash4 filesystem, grub's squash4 fs module uses user-controlled parameters from the filesystem geometry to determine the internal buffer size, however, it improperly checks for integer overflows. A maliciously crafted filesystem may lead some of those buffer size calculations to overflow, causing it to perform a grub_malloc() operation with a smaller size than expected. As a result, the direct_read() will perform a heap based out-of-bounds write during data reading. This flaw may be leveraged to corrupt grub's internal critical data and may result in arbitrary code execution, by-passing secure boot protections.
Integer Overflow or Wraparound
A flaw was found in the HFS filesystem
CVE-2024-45782
7.8 - High
- March 03, 2025
A flaw was found in the HFS filesystem. When reading an HFS volume's name at grub_fs_mount(), the HFS filesystem driver performs a strcpy() using the user-provided volume name as input without properly validating the volume name's length. This issue may read to a heap-based out-of-bounds writer, impacting grub's sensitive data integrity and eventually leading to a secure boot protection bypass.
Memory Corruption
A stack overflow flaw was found when reading a BFS file system
CVE-2024-45778
5.5 - Medium
- March 03, 2025
A stack overflow flaw was found when reading a BFS file system. A crafted BFS filesystem may lead to an uncontrolled loop, causing grub2 to crash.
Integer Overflow or Wraparound
A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled
CVE-2025-26465
6.8 - Medium
- February 18, 2025
A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying the host key. For an attack to be considered successful, the attacker needs to manage to exhaust the client's memory resource first, turning the attack complexity high.
Detection of Error Condition Without Action
A flaw was found in rsync
CVE-2024-12086
6.8 - Medium
- January 14, 2025
A flaw was found in rsync. It could allow a server to enumerate the contents of an arbitrary file from the client's machine. This issue occurs when files are being copied from a client to a server. During this process, the rsync server will send checksums of local data to the client to compare with in order to determine what data needs to be sent to the server. By sending specially constructed checksum values for arbitrary files, an attacker may be able to reconstruct the data of those files byte-by-byte based on the responses from the client.
Detection of Error Condition Without Action
A flaw was found in rsync
CVE-2024-12088
7.5 - High
- January 14, 2025
A flaw was found in rsync. When using the `--safe-links` option, the rsync client fails to properly verify if a symbolic link destination sent from the server contains another symbolic link within it. This results in a path traversal vulnerability, which may lead to arbitrary file write outside the desired directory.
Directory traversal
A vulnerability was found in GraphQL due to improper access controls on the GraphQL introspection query
CVE-2024-50312
5.3 - Medium
- October 22, 2024
A vulnerability was found in GraphQL due to improper access controls on the GraphQL introspection query. This flaw allows unauthorized users to retrieve a comprehensive list of available queries and mutations. Exposure to this flaw increases the attack surface, as it can facilitate the discovery of flaws or errors specific to the application's GraphQL implementation.
Information Disclosure
A denial of service (DoS) vulnerability was found in OpenShift
CVE-2024-50311
6.5 - Medium
- October 22, 2024
A denial of service (DoS) vulnerability was found in OpenShift. This flaw allows attackers to exploit the GraphQL batching functionality. The vulnerability arises when multiple queries can be sent within a single request, enabling an attacker to submit a request containing thousands of aliases in one query. This issue causes excessive resource consumption, leading to application unavailability for legitimate users.
Allocation of Resources Without Limits or Throttling
A vulnerability was found in Podman, Buildah, and CRI-O
CVE-2024-9676
6.5 - Medium
- October 15, 2024
A vulnerability was found in Podman, Buildah, and CRI-O. A symlink traversal vulnerability in the containers/storage library can cause Podman, Buildah, and CRI-O to hang and result in a denial of service via OOM kill when running a malicious image using an automatically assigned user namespace (`--userns=auto` in Podman and Buildah). The containers/storage library will read /etc/passwd inside the container, but does not properly validate if that file is a symlink, which can be used to cause the library to read an arbitrary file on the host.
Directory traversal
A vulnerability was found in Buildah
CVE-2024-9675
7.8 - High
- October 09, 2024
A vulnerability was found in Buildah. Cache mounts do not properly validate that user-specified paths for the cache are within our cache directory, allowing a `RUN` instruction in a Container file to mount an arbitrary directory from the host (read/write) into the container as long as those files can be accessed by the user running Buildah.
Directory traversal
A flaw was found in Go
CVE-2024-9341
8.2 - High
- October 01, 2024
A flaw was found in Go. When FIPS mode is enabled on a system, container runtimes may incorrectly handle certain file paths due to improper validation in the containers/common Go library. This flaw allows an attacker to exploit symbolic links and trick the system into mounting sensitive host directories inside a container. This issue also allows attackers to access critical host files, bypassing the intended isolation between containers and the host system.
insecure temporary file
A misconfiguration flaw was found in Keycloak
CVE-2024-8883
6.1 - Medium
- September 19, 2024
A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking.
Open Redirect
A flaw was found in Podman
CVE-2024-3056
7.7 - High
- August 02, 2024
A flaw was found in Podman. This issue may allow an attacker to create a specially crafted container that, when configured to share the same IPC with at least one other container, can create a large number of IPC resources in /dev/shm. The malicious container will continue to exhaust resources until it is out-of-memory (OOM) killed. While the malicious container's cgroup will be removed, the IPC resources it created are not. Those resources are tied to the IPC namespace that will not be removed until all containers using it are stopped, and one non-malicious container is holding the namespace open. The malicious container is restarted, either automatically or by attacker control, repeating the process and increasing the amount of memory consumed. With a container configured to restart always, such as `podman run --restart=always`, this can result in a memory-based denial of service of the system.
Resource Exhaustion
A flaw was found in the Openshift console
CVE-2024-7079
6.5 - Medium
- July 24, 2024
A flaw was found in the Openshift console. The /API/helm/verify endpoint is tasked to fetch and verify the installation of a Helm chart from a URI that is remote HTTP/HTTPS or local. Access to this endpoint is gated by the authHandlerWithUser() middleware function. Contrary to its name, this middleware function does not verify the validity of the user's credentials. As a result, unauthenticated users can access this endpoint.
Missing Authentication for Critical Function
OpenSSH Race Condition leading to RCE, known as regreSSHion
CVE-2024-6387
8.1 - High
- July 01, 2024
A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.
Race Condition
A flaw was found in OpenShift's Telemeter
CVE-2024-5037
7.5 - High
- June 05, 2024
A flaw was found in OpenShift's Telemeter. If certain conditions are in place, an attacker can use a forged token to bypass the issue ("iss") check during JSON web token (JWT) authentication.
Authentication Bypass by Spoofing
A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect
CVE-2024-1132
- April 17, 2024
A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious request to bypass validation and access other URLs and sensitive information within the domain or conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field, and requires user interaction within the malicious URL.
Directory traversal
A flaw was discovered in the mholt/archiver package
CVE-2024-0406
7.8 - High
- April 06, 2024
A flaw was discovered in the mholt/archiver package. This flaw allows an attacker to create a specially crafted tar file, which, when unpacked, may allow access to restricted files or directories. This issue can allow the creation or overwriting of files with the user's or application's privileges using the library.
Directory traversal
A flaw was found in the kubevirt-csi component of OpenShift Virtualization's Hosted Control Plane (HCP)
CVE-2024-1725
6.5 - Medium
- March 07, 2024
A flaw was found in the kubevirt-csi component of OpenShift Virtualization's Hosted Control Plane (HCP). This issue could allow an authenticated attacker to gain access to the root HCP worker node's volume by creating a custom Persistent Volume that matches the name of a worker node.
Trust Boundary Violation
A vulnerability was found in Undertow
CVE-2024-1635
- February 19, 2024
A vulnerability was found in Undertow. This vulnerability impacts a server that supports the wildfly-http-client protocol. Whenever a malicious user opens and closes a connection with the HTTP port of the server and then closes the connection immediately, the server will end with both memory and open file limits exhausted at some point, depending on the amount of memory available. At HTTP upgrade to remoting, the WriteTimeoutStreamSinkConduit leaks connections if RemotingConnection is closed by Remoting ServerConnectionOpenListener. Because the remoting connection originates in Undertow as part of the HTTP upgrade, there is an external layer to the remoting connection. This connection is unaware of the outermost layer when closing the connection during the connection opening procedure. Hence, the Undertow WriteTimeoutStreamSinkConduit is not notified of the closed connection in this scenario. Because WriteTimeoutStreamSinkConduit creates a timeout task, the whole dependency tree leaks via that task, which is added to XNIO WorkerThread. So, the workerThread points to the Undertow conduit, which contains the connections and causes the leak.
Resource Exhaustion
A flaw was found in CRI-O that involves an experimental annotation leading to a container being unconfined
CVE-2023-6476
7.5 - High
- January 09, 2024
A flaw was found in CRI-O that involves an experimental annotation leading to a container being unconfined. This may allow a pod to specify and get any amount of memory/cpu, circumventing the kubernetes scheduler and potentially resulting in a denial of service in the node.
Allocation of Resources Without Limits or Throttling
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such
CVE-2023-48795
5.9 - Medium
- December 18, 2023
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.
Improper Validation of Integrity Check Value
A privilege escalation flaw was found in the node restriction admission plugin of the kubernetes api server of OpenShift
CVE-2023-5408
7.2 - High
- November 02, 2023
A privilege escalation flaw was found in the node restriction admission plugin of the kubernetes api server of OpenShift. A remote attacker who modifies the node role label could steer workloads from the control plane and etcd nodes onto different worker nodes and gain broader access to the cluster.
The HTTP/2 protocol
CVE-2023-44487
7.5 - High
- October 10, 2023
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Resource Exhaustion
A flaw was found in Open vSwitch that allows ICMPv6 Neighbor Advertisement packets between virtual machines to bypass OpenFlow rules
CVE-2023-5366
5.5 - Medium
- October 06, 2023
A flaw was found in Open vSwitch that allows ICMPv6 Neighbor Advertisement packets between virtual machines to bypass OpenFlow rules. This issue may allow a local attacker to create specially crafted packets with a modified or spoofed target IP address field that can redirect ICMPv6 traffic to arbitrary IP addresses.
Insufficient Verification of Data Authenticity
A flaw was found in OpenShift API, as admission checks do not enforce "custom-host" permissions
CVE-2022-3248
7.5 - High
- October 05, 2023
A flaw was found in OpenShift API, as admission checks do not enforce "custom-host" permissions. This issue could allow an attacker to violate the boundaries, as permissions will not be applied.
AuthZ
A content spoofing flaw was found in OpenShift's OAuth endpoint
CVE-2022-4145
5.3 - Medium
- October 05, 2023
A content spoofing flaw was found in OpenShift's OAuth endpoint. This flaw allows a remote, unauthenticated attacker to inject text into a webpage, enabling the obfuscation of a phishing operation.
Injection
A flaw was found in Open Virtual Network where the service monitor MAC does not properly rate limit
CVE-2023-3153
5.3 - Medium
- October 04, 2023
A flaw was found in Open Virtual Network where the service monitor MAC does not properly rate limit. This issue could allow an attacker to cause a denial of service, including on deployments with CoPP enabled and properly configured.
Allocation of Resources Without Limits or Throttling
An authentication bypass vulnerability was discovered in kube-apiserver
CVE-2023-1260
8 - High
- September 24, 2023
An authentication bypass vulnerability was discovered in kube-apiserver. This issue could allow a remote, authenticated attacker who has been given permissions "update, patch" the "pods/ephemeralcontainers" subresource beyond what the default is. They would then need to create a new pod or patch one that they already have access to. This might allow evasion of SCC admission restrictions, thereby gaining control of a privileged pod.
The version of cri-o as released for Red Hat OpenShift Container Platform 4.9.48, 4.10.31, and 4.11.6
CVE-2022-3466
5.3 - Medium
- September 15, 2023
The version of cri-o as released for Red Hat OpenShift Container Platform 4.9.48, 4.10.31, and 4.11.6 via RHBA-2022:6316, RHBA-2022:6257, and RHBA-2022:6658, respectively, included an incorrect version of cri-o missing the fix for CVE-2022-27652, which was previously fixed in OCP 4.9.41 and 4.10.12 via RHBA-2022:5433 and RHSA-2022:1600. This issue could allow an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs. For more details, see https://access.redhat.com/security/cve/CVE-2022-27652.
Incorrect Default Permissions
A flaw was found in the `/v2/_catalog` endpoint in distribution/distribution
CVE-2023-2253
6.5 - Medium
- June 06, 2023
A flaw was found in the `/v2/_catalog` endpoint in distribution/distribution, which accepts a parameter to control the maximum number of records returned (query string: `n`). This vulnerability allows a malicious user to submit an unreasonably large value for `n,` causing the allocation of a massive string array, possibly causing a denial of service through excessive use of memory.
Allocation of Resources Without Limits or Throttling
A flaw was found in openvswitch (OVS)
CVE-2023-1668
8.2 - High
- April 10, 2023
A flaw was found in openvswitch (OVS). When processing an IP packet with protocol 0, OVS will install the datapath flow without the action modifying the IP header. This issue results (for both kernel and userspace datapath) in installing a datapath flow matching all IP protocols (nw_proto is wildcarded) for this flow, but with an incorrect action, possibly causing incorrect handling of other IP packets with a != 0 IP protocol that matches this dp flow.
Always-Incorrect Control Flow Implementation
An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service
CVE-2023-0056
6.5 - Medium
- March 23, 2023
An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability.
Resource Exhaustion
runc through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go
CVE-2023-27561
7 - High
- March 03, 2023
runc through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. NOTE: this issue exists because of a CVE-2019-19921 regression.
Use of Incorrectly-Resolved Name or Reference
A vulnerability was found in OpenShift OSIN
CVE-2021-4294
5.9 - Medium
- December 28, 2022
A vulnerability was found in OpenShift OSIN. It has been classified as problematic. This affects the function ClientSecretMatches/CheckClientSecret. The manipulation of the argument secret leads to observable timing discrepancy. The name of the patch is 8612686d6dda34ae9ef6b5a974e4b7accb4fea29. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-216987.
Side Channel Attack
An incorrect handling of the supplementary groups in the Buildah container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in
CVE-2022-2990
7.1 - High
- September 13, 2022
An incorrect handling of the supplementary groups in the Buildah container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.
Placement of User into Incorrect Group
An incorrect handling of the supplementary groups in the Podman container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in
CVE-2022-2989
7.1 - High
- September 13, 2022
An incorrect handling of the supplementary groups in the Podman container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.
Placement of User into Incorrect Group
In OpenShift Container Platform, a user with permissions to create or modify Routes can craft a payload
CVE-2022-1677
6.3 - Medium
- September 01, 2022
In OpenShift Container Platform, a user with permissions to create or modify Routes can craft a payload that inserts a malformed entry into one of the cluster router's HAProxy configuration files. This malformed entry can match any arbitrary hostname, or all hostnames in the cluster, and direct traffic to an arbitrary application within the cluster, including one under attacker control.
Resource Exhaustion
An Improper Certificate Validation attack was found in Openshift
CVE-2022-1632
6.5 - Medium
- September 01, 2022
An Improper Certificate Validation attack was found in Openshift. A re-encrypt Route with destinationCACertificate explicitly set to the default serviceCA skips internal Service TLS certificate validation. This flaw allows an attacker to exploit an invalid certificate, resulting in a loss of confidentiality.
Improper Certificate Validation
A permissive list of allowed inputs flaw was found in DPDK
CVE-2022-2132
8.6 - High
- August 31, 2022
A permissive list of allowed inputs flaw was found in DPDK. This issue allows a remote attacker to cause a denial of service triggered by sending a crafted Vhost header to DPDK.
A flaw was found in python-oslo-utils
CVE-2022-0718
4.9 - Medium
- August 29, 2022
A flaw was found in python-oslo-utils. Due to improper parsing, passwords with a double quote ( " ) in them cause incorrect masking in debug logs, causing any part of the password after the double quote to be plaintext.
Insertion of Sensitive Information into Log File
A flaw was found in dpdk
CVE-2022-0669
6.5 - Medium
- August 29, 2022
A flaw was found in dpdk. This flaw allows a malicious vhost-user master to attach an unexpected number of fds as ancillary data to VHOST_USER_GET_INFLIGHT_FD / VHOST_USER_SET_INFLIGHT_FD messages that are not closed by the vhost-user slave. By sending such messages continuously, the vhost-user master exhausts available fd in the vhost-user slave process, leading to a denial of service.
A vulnerability was found in CRI-O that causes memory or disk space exhaustion on the node for anyone with access to the Kube API
CVE-2022-1708
7.5 - High
- June 07, 2022
A vulnerability was found in CRI-O that causes memory or disk space exhaustion on the node for anyone with access to the Kube API. The ExecSync request runs commands in a container and logs the output of the command. This output is then read by CRI-O after command execution, and it is read in a manner where the entire file corresponding to the output of the command is read in. Thus, if the output of the command is large it is possible to exhaust the memory or the disk space of the node when CRI-O reads the output of the command. The highest threat from this vulnerability is system availability.
Allocation of Resources Without Limits or Throttling
A vulnerability was found in Ignition where ignition configs are accessible from unprivileged containers in VMs running on VMware products
CVE-2022-1706
6.5 - Medium
- May 17, 2022
A vulnerability was found in Ignition where ignition configs are accessible from unprivileged containers in VMs running on VMware products. This issue is only relevant in user environments where the Ignition config contains secrets. The highest threat from this vulnerability is to data confidentiality. Possible workaround is to not put secrets in the Ignition config.
AuthZ
A privilege escalation flaw was found in Podman
CVE-2022-1227
8.8 - High
- April 29, 2022
A privilege escalation flaw was found in Podman. This flaw allows an attacker to publish a malicious image to a public registry. Once this image is downloaded by a potential victim, the vulnerability is triggered after a user runs the 'podman top' command. This action gives the attacker access to the host filesystem, leading to information disclosure or denial of service.
Improper Privilege Management
A flaw was found in cri-o, where containers were incorrectly started with non-empty default permissions
CVE-2022-27652
5.3 - Medium
- April 18, 2022
A flaw was found in cri-o, where containers were incorrectly started with non-empty default permissions. A vulnerability was found in Moby (Docker Engine) where containers started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.
Incorrect Default Permissions
A flaw was found in crun where containers were incorrectly started with non-empty default permissions
CVE-2022-27650
7.5 - High
- April 04, 2022
A flaw was found in crun where containers were incorrectly started with non-empty default permissions. A vulnerability was found in Moby (Docker Engine) where containers were started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.
Incorrect Default Permissions
A flaw was found in Podman, where containers were started incorrectly with non-empty default permissions
CVE-2022-27649
7.5 - High
- April 04, 2022
A flaw was found in Podman, where containers were started incorrectly with non-empty default permissions. A vulnerability was found in Moby (Docker Engine), where containers were started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.
Incorrect Default Permissions
It was found in OpenShift Container Platform 4
CVE-2021-20238
3.7 - Low
- April 01, 2022
It was found in OpenShift Container Platform 4 that ignition config, served by the Machine Config Server, can be accessed externally from clusters without authentication. The MCS endpoint (port 22623) provides ignition configuration used for bootstrapping Nodes and can include some sensitive data, e.g. registry pull secrets. There are two scenarios where this data can be accessed. The first is on Baremetal, OpenStack, Ovirt, Vsphere and KubeVirt deployments which do not have a separate internal API endpoint and allow access from outside the cluster to port 22623 from the standard OpenShift API Virtual IP address. The second is on cloud deployments when using unsupported network plugins, which do not create iptables rules that prevent to port 22623. In this scenario, the ignition config is exposed to all pods within the cluster and cannot be accessed externally.
Missing Authentication for Critical Function
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Red Hat Openshift Machine Config Operator or by Red Hat? Click the Watch button to subscribe.
