[Bugs] [Bug 13546] New: [CVE 21] kubernetes 1.25.4 CVEs found

bugzilla bugzilla на rosalinux.ru
Ср Авг 23 23:21:04 MSK 2023 

https://bugzilla.rosalinux.ru/show_bug.cgi?id=13546

          Platform: 2021.1
            Bug ID: 13546
           Summary: [CVE 21] kubernetes 1.25.4  CVEs found
    Classification: ROSA-based products
           Product: ROSA Fresh
           Version: All
          Hardware: All
               URL: CVE-2023-2431, CVE-2023-2727, CVE-2023-2728,
                OS: Linux
            Status: CONFIRMED
          Severity: normal
          Priority: Normal
         Component: System (kernel, glibc, systemd, bash, PAM...)
          Assignee: bugs на lists.rosalinux.ru
          Reporter: y.tumanov на rosalinux.ru
        QA Contact: bugs на lists.rosalinux.ru
                CC: e.kosachev на rosalinux.ru, s.matveev на rosalinux.ru,
                    y.tumanov на rosalinux.ru
  Target Milestone: ---
             Flags: secteam_verified?

Please patch CVEs for package kubernetes version 1.25.4

INFO (CVEs are): kubernetes 1.25.4
 cves found
CVE-2023-2431
Desc: A security issue was discovered in Kubelet that allows pods to bypass the
seccomp profile enforcement. Pods that use localhost type for seccomp profile
but specify an empty profile field, are affected by this issue. In this
scenario, this vulnerability allows the pod to run in unconfined (seccomp
disabled) mode. This bug affects Kubelet.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-2431
Severity: MEDIUM
CVE-2023-2727
Desc: Users may be able to launch containers using images that are restricted
by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are
only affected if the ImagePolicyWebhook admission plugin is used together with
ephemeral containers.


Link: https://nvd.nist.gov/vuln/detail/CVE-2023-2727
Severity: MEDIUM
CVE-2023-2728
Desc: Users may be able to launch containers that bypass the mountable secrets
policy enforced by the ServiceAccount admission plugin when using ephemeral
containers. The policy ensures pods running with a service account may only
reference secrets specified in the service account’s secrets field. Kubernetes
clusters are only affected if the ServiceAccount admission plugin and the
`kubernetes.io/enforce-mountable-secrets` annotation are used together with
ephemeral containers.


Link: https://nvd.nist.gov/vuln/detail/CVE-2023-2728
Severity: MEDIUM

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
----------- следущая часть -----------
Вложение в формате HTML было извлечено…
URL: <http://lists.rosalinux.ru/pipermail/bugs/attachments/20230823/9658e90d/attachment.html>

Подробная информация о списке рассылки Bugs