Description
A vulnerability was found in CRI-O, where it can be requested to take a checkpoint archive of a container and later be asked to restore it. When it does that restoration, it attempts to restore the mounts from the restore archive instead of the pod request. As a result, the validations run on the pod spec, verifying that the pod has access to the mounts it specifies are not applicable to a restored container. This flaw allows a malicious user to trick CRI-O into restoring a pod that doesn't have access to host mounts. The user needs access to the kubelet or cri-o socket to call the restore endpoint and trigger the restore.
Problem types
Product status
Any version before 1.29.11
1.30.0 (semver) before 1.30.8
1.31.0 (semver) before 1.31.3
0:1.28.11-7.rhaos4.15.gitc4c0556.el8 (rpm) before *
0:1.29.11-3.rhaos4.16.git16d9bd6.el8 (rpm) before *
416.94.202506251808-0 (rpm) before *
417.94.202503241418-0 (rpm) before *
0:1.31.5-5.rhaos4.18.git6dfa0a6.el8 (rpm) before *
418.94.202504231329-0 (rpm) before *
Timeline
| 2024-09-20: | Reported to Red Hat. |
| 2024-11-26: | Made public. |
References
access.redhat.com/errata/RHBA-2024:10826 (RHBA-2024:10826)
access.redhat.com/errata/RHSA-2025:0648 (RHSA-2025:0648)
access.redhat.com/errata/RHSA-2025:1908 (RHSA-2025:1908)
access.redhat.com/errata/RHSA-2025:3297 (RHSA-2025:3297)
access.redhat.com/errata/RHSA-2025:4211 (RHSA-2025:4211)
access.redhat.com/errata/RHSA-2025:9765 (RHSA-2025:9765)
access.redhat.com/security/cve/CVE-2024-8676
bugzilla.redhat.com/show_bug.cgi?id=2313842 (RHBZ#2313842)