Advisory ID: | D2IQ-2022-0001 |
Severity: | Critical |
Synopsis: | A Linux kernel bug can allow for host system access by escaping a running container in Kubernetes |
Affected Products & Versions | All DKP products running on Linux kernel earlier than 5.16.2 |
Issue date: | 26 January 2022 |
Updated on: |
26 January 2022 |
Problem Description
A Linux Kernel vulnerability has been reported which can allow an adversary to escape a container running in Kubernetes and gain access to the host system. This can potentially impact any Kubernetes deployment running on a Linux kernel earlier than 5.16.2.
Solutions
The recommended fix is to upgrade your kernel version to 5.16.2 or later. Please reach out to your Operating System support vendor if you require assistance with this, once the appropriate kernel version is available.
In the meantime, if you are running on Ubuntu, you can disable unprivileged namespaces by running the following:
sysctl -w kernel.unprivileged_userns_clone=0
For Red Hat and CentOS systems, a short term mitigation is to use a seccomp profile that does not allow the "unshare" command:
Additional Resources
Here is the bug report in Red Hat's portal:
https://access.redhat.com/security/cve/CVE-2022-0185
A more thorough summary of the bug and its impact can be found here:
https://www.bleepingcomputer.com/news/security/linux-kernel-bug-can-let-hackers-escape-kubernetes-containers/