<html>
<head>
<base href="https://bugzilla.rosalinux.ru/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Platform</th>
<td>2021.1
</td>
</tr>
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_CONFIRMED "
title="CONFIRMED - [CVE 21] kubernetes 1.25.4 CVEs found"
href="https://bugzilla.rosalinux.ru/show_bug.cgi?id=13546">13546</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>[CVE 21] kubernetes 1.25.4 CVEs found
</td>
</tr>
<tr>
<th>Classification</th>
<td>ROSA-based products
</td>
</tr>
<tr>
<th>Product</th>
<td>ROSA Fresh
</td>
</tr>
<tr>
<th>Version</th>
<td>All
</td>
</tr>
<tr>
<th>Hardware</th>
<td>All
</td>
</tr>
<tr>
<th>URL</th>
<td>CVE-2023-2431, CVE-2023-2727, CVE-2023-2728,
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>CONFIRMED
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>Normal
</td>
</tr>
<tr>
<th>Component</th>
<td>System (kernel, glibc, systemd, bash, PAM...)
</td>
</tr>
<tr>
<th>Assignee</th>
<td>bugs@lists.rosalinux.ru
</td>
</tr>
<tr>
<th>Reporter</th>
<td>y.tumanov@rosalinux.ru
</td>
</tr>
<tr>
<th>QA Contact</th>
<td>bugs@lists.rosalinux.ru
</td>
</tr>
<tr>
<th>CC</th>
<td>e.kosachev@rosalinux.ru, s.matveev@rosalinux.ru, y.tumanov@rosalinux.ru
</td>
</tr>
<tr>
<th>Target Milestone</th>
<td>---
</td>
</tr>
<tr>
<th>Flags</th>
<td>secteam_verified?
</td>
</tr></table>
<p>
<div>
<pre>Please patch CVEs for package kubernetes version 1.25.4
INFO (CVEs are): kubernetes 1.25.4
cves found
CVE-2023-2431
Desc: A security issue was discovered in Kubelet that allows pods to bypass the
seccomp profile enforcement. Pods that use localhost type for seccomp profile
but specify an empty profile field, are affected by this issue. In this
scenario, this vulnerability allows the pod to run in unconfined (seccomp
disabled) mode. This bug affects Kubelet.
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-2431">https://nvd.nist.gov/vuln/detail/CVE-2023-2431</a>
Severity: MEDIUM
CVE-2023-2727
Desc: Users may be able to launch containers using images that are restricted
by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are
only affected if the ImagePolicyWebhook admission plugin is used together with
ephemeral containers.
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-2727">https://nvd.nist.gov/vuln/detail/CVE-2023-2727</a>
Severity: MEDIUM
CVE-2023-2728
Desc: Users may be able to launch containers that bypass the mountable secrets
policy enforced by the ServiceAccount admission plugin when using ephemeral
containers. The policy ensures pods running with a service account may only
reference secrets specified in the service account’s secrets field. Kubernetes
clusters are only affected if the ServiceAccount admission plugin and the
`kubernetes.io/enforce-mountable-secrets` annotation are used together with
ephemeral containers.
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-2728">https://nvd.nist.gov/vuln/detail/CVE-2023-2728</a>
Severity: MEDIUM</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the QA Contact for the bug.</li>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>