cbcvebase.
CVE-2022-0811
published 2022-03-16

CVE-2022-0811: A flaw was found in CRI-O in the way it set kernel options for a pod. This issue allows anyone with rights to deploy a pod on a Kubernetes cluster that uses…

PriorityP264high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
18.56%
96.9th percentile
A flaw was found in CRI-O in the way it set kernel options for a pod. This issue allows anyone with rights to deploy a pod on a Kubernetes cluster that uses the CRI-O runtime to achieve a container escape and arbitrary code execution as root on the cluster node, where the malicious pod was deployed.

Affected

13 ranges
VendorProductVersion rangeFixed in
github.comcri-o_cri-o>= 1.19.0 < 1.19.61.19.6
github.comcri-o_cri-o>= 1.20.0 < 1.20.71.20.7
github.comcri-o_cri-o>= 1.21.0 < 1.21.61.21.6
github.comcri-o_cri-o>= 1.22.0 < 1.22.31.22.3
github.comcri-o_cri-o>= 1.23.0 < 1.23.21.23.2
kubernetescri-o
kubernetescri-o>= 1.19.0 < 1.19.61.19.6
kubernetescri-o>= 1.20.0 < 1.20.71.20.7
kubernetescri-o>= 1.21.0 < 1.21.61.21.6
kubernetescri-o>= 1.22.0 < 1.22.31.22.3
kubernetescri-o>= 1.23.0 < 1.23.21.23.2
msrccbl2_cri-o_1.22.3-14_on_cbl_mariner_2.0
msrccbl2_cri-o_1.22.3-1_on_cbl_mariner_2.0

Detection & IOCsextracted from sources · hover to see the quote

  • Flag use of kernel-level sysctls (names prefixed with 'kernel.') in pod securityContext — a prerequisite condition for the exploit.
  • Red Hat OpenShift Container Platform versions 4.6 and later are affected; OCP versions prior to 4.6 are not affected.
  • ·The vulnerability was introduced in CRI-O version 1.19 (September 2020); clusters running CRI-O older than 1.19 are not affected.
  • ·No in-the-wild exploitation had been reported at the time of CrowdStrike's disclosure on March 15, 2022.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vendor_msrc8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.