[Workaround] OpenShift CRI-O vulnerability CVE-2022-0811

Resolution

The best resolution is to upgrade to a version that has a patched CRI-O. However, until that is possible, there are a number of possible workarounds, depending on the customer's comfort. The best solution is updating SCCs to block all sysctls. Another option is using Kyverno to filter sysctls that have invalid value types.

Note: these workaround has not been extensively tested. Engineering and QE are working on doing so, but this should be a consideration when deciding which option use.

To start, we recommend running the following query

oc get pods -A -o json | jq .items[].spec.securityContext?.sysctls[]?.value | grep '+'

We recommend removing any deployments configured in this way, as they are workloads exploiting this vulnerability.

Updating default SCCs

Note: There are many warnings in the documentation around updating default SCCs. Those warning are to ensure upgrades do not cause updates to be unexpectedly reverted. Users should be cautious about updating default SCCs. In this case, the SCC update only need be applied until a cluster can be updated. After that, the changes should be reverted. As such, this recommendation is supported and legitimate.

Audit your cluster for any pods that use sysctls:

oc get pods -A -o json | jq .items[].spec.securityContext?.sysctls[]?

If any do, we recommend kyverno or other validating webhook options.
To update SCC to block all sysctls, an admin needs to run:

# list SCCs
$ oc get scc
# patch SCC named $sccName to block all sysctls
$ oc patch scc $sccName --type merge -p '{"forbiddenSysctls": ["*"]}'

It is recommended to update this for any SCC that has untrusted workloads running within it. Assuming the output of the first query above returned empty, there should be no risk to blocking sysctls in all SCCs.

Admins can use the following loop:

$ for scc in $(oc get scc -o json | jq -r .items[].metadata.name); do
  oc patch scc $scc --type merge -p '{"forbiddenSysctls": ["*"]}';
done

To edit every SCC.

Note: this update will only be applied to new deployments.

Reverting workaround

Users can run

oc patch scc $sccName --type merge -p '{"forbiddenSysctls": []}'

to remove the workaround for a given SCC $sccName. If the loop solution above was used, the following can be run:

# Check all SCCs have either <none> or * for Forbidden Sysctls.
# If any other value is configured, it will be lost, and will need to be restored
for scc in $(oc get scc -o json | jq -r .items[].metadata.name); do
  echo $scc;
  oc describe scc $scc | grep Forbidden;
done
# Clear forbidden sysctls for all SCCs
for scc in $(oc get scc -o json | jq -r .items[].metadata.name); do
  oc patch scc $scc --type merge -p '{"forbiddenSysctls": []}';
done

Kyverno

Kyverno is a policy agent, and can be used to generate a policy that forbids workloads from exploiting this vulnerability.

To configure Kyverno, users can refer to their documentation. Users should make note of the version compatibility matrix.
Next, a user needs to apply the policy as described here.