Security Vulnerability in CRI-O Could Affect OpenShift Users

Homepage Blog Security Vulnerability in CRI-O Could Affect OpenShift Users

Security Vulnerability in CRI-O Could Affect OpenShift Users

21 Mar 2022

Crowdstrike researchers have detected an exploit called “cr8escape” in the CRI-O Container Engine. The vulnerability has a CVE rating of 8.8/10 (High), and it has been disclosed that it affects software and platforms using CRI-O.

It is stated that attackers exploiting this vulnerability could escape the Kubernetes container, gain root access, and then access any part of the cluster.

Directly affected software versions:

CRI-O version 1.19+

Indirectly affected software and platforms:

OpenShift 4+
Oracle Container Engine for Kubernetes

Solution:

At the Kubernetes level:

The ideal solution is to block pods by using “+=” values in the sysctl commands.
As a secondary solution, the PodSecurityPolicy with the forbiddenSysctls field can be used to block all sysctls.

At the CRI-O level:

Upgrade CRI-O to the latest patched version (version 1.23.2).
Add the -s parameter to the pinns_path in the CRI-O config file to prevent violations related to pod kernel parameters.
Downgrading to CRI-O version 1.18 or earlier (not generally recommended).

Other Posts

Turning Customer Data into Strategic Advantage with Splunk MLTK

A New Era in Security Operations with Splunk Mission Control

The Power Behind Real-Time Web Applications

See all posts

Get In Touch

Other Posts

Sekom | Security Vulnerability in CRI-O Could Affect OpenShift Users

Turning Customer Data into Strategic Advantage with Splunk MLTK

Turn customer data into strategic advantage with Splunk MLTK. Machine learning anomaly detection, security, and Splunk Enterprise Security.

Sekom | Security Vulnerability in CRI-O Could Affect OpenShift Users

A New Era in Security Operations with Splunk Mission Control

Unify alerts, automate response, and gain full visibility with Splunk Mission Control. Accelerate SOC efficiency—take control today!

Sekom | Security Vulnerability in CRI-O Could Affect OpenShift Users

Understanding Modern Systems: End-to-End Visibility with Splunk Observability

Discover how Splunk Observability provides visibility and faster root cause analysis across systems. Start your observability journey today.

Sekom | Security Vulnerability in CRI-O Could Affect OpenShift Users

Smart Log Analysis with Splunk Machine Learning Toolkit (MLTK)

Unlock insights with Splunk’s Machine Learning Toolkit (MLTK). Detect anomalies, predict trends, optimize operations using machine data.

Sekom | Security Vulnerability in CRI-O Could Affect OpenShift Users

Export Jira Worklog Data with Python and Send It to Your Team via Email

Transfer Jira worklogs to Excel using Python and Jira API. Send via email. Save time with this detailed guide and troubleshooting tips!

Sekom | Security Vulnerability in CRI-O Could Affect OpenShift Users

Jira Time Tracking Automation with Python: Daily API and Cron-Based Solution

Automate daily time tracking using Python, Jira REST API, and cron. A quick guide to holiday-aware reporting and Teams alerts!

Your Privacy

Most websites you visit store or retrieve data in your browser as cookies. This information may be about you, your preferences, or your device and is mostly used to make the site work as you expect it to. This information generally doesn't directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, we give you the option to opt out of certain types of cookies. You can learn more and change our default settings by clicking on the different category headings. However, blocking some types of cookies may impact your experience on our site and the services we offer.

Strictly Necessary Cookies

These cookies are necessary for our website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in, or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not work. These cookies do not store any personally identifiable information.

Strictly Necessary Cookies

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site and will not be able to monitor its performance.

Performance Cookies

Targeting Cookies

These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant advertisements on other sites. They do not store directly personal information but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Targeting Cookies

Functional Identification Information

These cookies enable the website to provide enhanced functionality and personalization. They may be set by us or by third-party providers whose services we have added to our pages. If you do not allow these cookies, then some or all of these services may not function properly.

Functional Identification Information

“Building Digital Future”

We are a well-established, reliable, and expert digital transformation integrator, committed to the satisfaction of both our customers and our employees.

Explore