Security Bulletin: Red Hat OpenShift on IBM Cloud is affected by a cri-o security vulnerability (CVE-2024-3154)

Summary

Red Hat OpenShift on IBM Cloud is affected by a security vulnerability found in the cri-o component which could allow a remote authenticated attacker to execute arbitrary commands on the system (CVE-2024-3154).

Vulnerability Details

CVEID: CVE-2024-3154
Description: CRI-O could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by an arbitrary systemd property injection. By sending a specially crafted request using pod annotation, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
CVSS Base Score: 7.2
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/290271&gt; for more information
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Red Hat OpenShift on IBM Cloud 4.15-4.15.11_1533_openshift_W
Red Hat OpenShift on IBM Cloud 4.14-4.14.23_1561_openshift_W
Red Hat OpenShift on IBM Cloud 4.13-4.13.42_1574_openshift_W
Red Hat OpenShift on IBM Cloud 4.12-4.12.56_1590_openshift_W
Red Hat OpenShift on IBM Cloud 3.11-4.11

Remediation/Fixes

Updates for Red Hat OpenShift on IBM Cloud cluster worker nodes at versions 4.12 or later are available that fix this vulnerability. Customers must update worker nodes created before the fix was available to address the vulnerability. For details on updating worker nodes, see either the classic or VPC documentation, as appropriate. To verify your cluster worker nodes have been updated, use the following IBM Cloud CLI command to confirm the currently running versions:

ibmcloud oc workers --cluster <cluster name or ID>

If the versions are at one of the following patch levels or later, the cluster worker nodes have the fix:

4.12.57_1591_openshift_W
4.13.43_1578_openshift_W
4.14.25_1564_openshift_W
4.15.13_1535_openshift_W

Customers running Red Hat OpenShift on IBM Cloud Service clusters at version 4.11 must upgrade to version 4.12. Please review the documentation before starting an upgrade since additional actions may be required.

Customers running Red Hat OpenShift on IBM Cloud Service clusters at version 4.10 must create a new cluster and deploy their apps to the new cluster.
Red Hat OpenShift on IBM Cloud Service 4.11 and earlier are no longer supported. See the Red Hat OpenShift on IBM Cloud Service version information and update actions documentation for more information about Kubernetes versions and version support policies.