CVE-2019-14891Improper Cleanup on Thrown Exception in Redhat Openshift Container Platform

CWE-460Improper Cleanup on Thrown ExceptionCWE-754Improper Check for Unusual or Exceptional Conditions6 documents5 sources
Severity
5.0MEDIUMNVD
EPSS
0.3%
top 45.25%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Kubernetes Cri-oRedhat Openshift Container Platform
Timeline
PublishedNov 25
Latest updateMay 24

Description

A flaw was found in cri-o, as a result of all pod-related processes being placed in the same memory cgroup. This can result in container management (conmon) processes being killed if a workload process triggers an out-of-memory (OOM) condition for the cgroup. An attacker could abuse this flaw to get host network access on an cri-o host.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:LExploitability: 1.6 | Impact: 3.4

Affected Packages2 packages

NVDkubernetes/cri-o< 1.16.1
CVEListV5kubernetes/cri-on/a

Also affects: Openshift Container Platform 3.11, 4.1, 4.2

🔴Vulnerability Details

2
GHSA
GHSA-7hwv-gxwq-2g5p: A flaw was found in cri-o, as a result of all pod-related processes being placed in the same memory cgroup2022-05-24
CVEList
CVE-2019-14891: A flaw was found in cri-o, as a result of all pod-related processes being placed in the same memory cgroup2019-11-25

📋Vendor Advisories

1
Red Hat
cri-o: infra container reparented to systemd following OOM Killer killing it's conmon2019-11-07

💬Community

2
Bugzilla
CVE-2019-14891 cri-o: infra container reparented to systemd following OOM Killer killing it's conmon [fedora-all]2019-11-19
Bugzilla
CVE-2019-14891 cri-o: infra container reparented to systemd following OOM Killer killing it's conmon2019-11-14
CVE-2019-14891 — Improper Cleanup on Thrown Exception | cvebase