Privilege escalation in kata-containers



Published: 2022-08-18 | Updated: 2022-12-22
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2022-0847
CWE-ID CWE-908
Exploitation vector Local
Public exploit Vulnerability #1 is being exploited in the wild.
Vulnerable software
Subscribe
Kata Containers
Server applications / Virtualization software

Vendor Kata Containers

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Use of uninitialized resource

EUVDB-ID: #VU61110

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-0847

CWE-ID: CWE-908 - Use of Uninitialized Resource

Exploit availability: Yes

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to usage of an uninitialized resources. A local user can overwrite arbitrary file in the page cache, even if the file is read-only, and execute arbitrary code on the system with elevated privileges.

The vulnerability was dubbed Dirty Pipe.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Kata Containers: 2.0.0 - 2.4.3


CPE2.3 External links

http://github.com/kata-containers/kata-containers/releases/tag/2.5.0

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###