{
  "threat_severity" : "Moderate",
  "public_date" : "2019-11-07T00:00:00Z",
  "bugzilla" : {
    "description" : "cri-o: infra container reparented to systemd following OOM Killer killing it's conmon",
    "id" : "1772280",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1772280"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.0",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-460",
  "details" : [ "A flaw was found in cri-o, as a result of all pod-related processes being placed in the same memory cgroup. This can result in container management (conmon) processes being killed if a workload process triggers an out-of-memory (OOM) condition for the cgroup. An attacker could abuse this flaw to get host network access on an cri-o host.", "A flaw was found in cri-o, as a result of all pod-related processes being placed in the same memory cgroup. This can result in container management (conmon) processes being killed if a workload process triggers an out-of-memory (OOM) condition for the cgroup. An attacker could abuse this flaw to get host network access on an cri-o host." ],
  "acknowledgement" : "Red Hat would like to thank Nick Freeman (Capsule8) for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 3.11",
    "release_date" : "2020-07-27T00:00:00Z",
    "advisory" : "RHSA-2020:2992",
    "cpe" : "cpe:/a:redhat:openshift:3.11::el7",
    "package" : "cri-o-0:1.11.16-0.10.dev.rhaos3.11.git1eee681.el7"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.2",
    "release_date" : "2020-07-01T00:00:00Z",
    "advisory" : "RHSA-2020:2776",
    "cpe" : "cpe:/a:redhat:openshift:4.2::el7",
    "package" : "cri-o-0:1.14.12-15.dev.rhaos4.2.gita17905f.el8"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-14891\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-14891\nhttps://capsule8.com/blog/oomypod-nothin-to-cri-o-bout/" ],
  "name" : "CVE-2019-14891",
  "mitigation" : {
    "value" : "As of cri-o v1.15 you can set conmon_cgroup = \"system.slice\" in the crio.runtime section of /etc/crio/crio.conf. On OpenShift Container Platform 4.x that can be done by following the documentation here:\nhttps://access.redhat.com/documentation/en-us/openshift_container_platform/4.2/html/architecture/architecture-rhcos\nFor OpenShift Container Platform 3.x you can edit /etc/crio/crio.conf directly on the worker node if using cri-o on that version. Cri-o is not the default container engine on that version, Docker is.",
    "lang" : "en:us"
  },
  "csaw" : false
}