The Linux kernel vulnerability CVE-2022-0492 was discovered. Attackers can exploit the vulnerability to escalate their privileges on vulnerable hosts and bypass namespace isolation. In specific conditions, the vulnerability can cause privilege escalation and container escapes.

CVE-2022-0492 is rated as high severity and its Common Vulnerability Scoring System (CVSS) score is 7.0.

Affected versions

  • The Linux kernel v2.6.24-rc1 and later versions are affected. This vulnerability is fixed in the Linux kernel v5.17-rc3 and later versions. For more information, see v5.17-rc3.
  • All kernel versions of the nodes in Container Service for Kubernetes (ACK) clusters are affected by this vulnerability.

Impacts

By default, the seccomp feature is disabled for Kubernetes clusters. If you set the no_new_privs parameter for application pods or add the CAP_SYS_ADMIN capability to application pods and start the pods as the root user, attackers can exploit this vulnerability to escape from containers. In specific conditions, the attackers can bypass namespace isolation to gain privileges on the hosts.

Mitigation

  1. The Alibaba Cloud operating system team has fixed this vulnerability and released the patched version. We recommend that you log on to the nodes in your cluster and run the yum update kernel command to update the kernel version of the nodes.
  2. Temporary solution:
    1. Use the default seccomp profile of the container runtime to prevent pods from using the unshare system call. For more information, see Create a pod that uses the container runtime default seccomp profile.
    2. Do not deploy privileged pods or add the CAP_SYS_ADMIN capability to pods. For more information, see CAP_SYS_ADMIN.