{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"High" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"cri-o security update", "category":"general", "title":"Synopsis" }, { "text":"An update for cri-o is now available for openEuler-22.03-LTS-SP1.", "category":"general", "title":"Summary" }, { "text":"Open Container Initiative-based implementation of Kubernetes Container Runtime Interface.\n\nSecurity Fix(es):\n\nIncorrect handling of the supplementary groups in the CRI-O container engine might lead to sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.(CVE-2022-2995)", "category":"general", "title":"Description" }, { "text":"An update for cri-o is now available for openEuler-22.03-LTS-SP1.\n\nopenEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"High", "category":"general", "title":"Severity" }, { "text":"cri-o", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2024-1251", "category":"self", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-1251" }, { "summary":"CVE-2022-2995", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail?cveId=CVE-2022-2995&packageName=cri-o" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2022-2995" }, { "summary":"openEuler-SA-2024-1251 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2024/csaf-openeuler-sa-2024-1251.json" } ], "title":"An update for cri-o is now available for openEuler-22.03-LTS-SP1", "tracking":{ "initial_release_date":"2024-03-08T09:12:38+08:00", "revision_history":[ { "date":"2024-03-08T09:12:38+08:00", "summary":"Initial", "number":"1.0.0" }, { "date":"2024-10-31T09:12:38+08:00", "summary":"final", "number":"2.0.0" } ], "generator":{ "date":"2024-10-31T09:12:38+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2024-10-31T09:12:38+08:00", "id":"openEuler-SA-2024-1251", "version":"2.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP1" }, "product_id":"openEuler-22.03-LTS-SP1", "name":"openEuler-22.03-LTS-SP1" }, "name":"openEuler-22.03-LTS-SP1", "category":"product_version" } ], "category":"product_name" }, { "name":"aarch64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP1" }, "product_id":"cri-o-1.23.2-2.oe2203sp1.aarch64.rpm", "name":"cri-o-1.23.2-2.oe2203sp1.aarch64.rpm" }, "name":"cri-o-1.23.2-2.oe2203sp1.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP1" }, "product_id":"cri-o-debuginfo-1.23.2-2.oe2203sp1.aarch64.rpm", "name":"cri-o-debuginfo-1.23.2-2.oe2203sp1.aarch64.rpm" }, "name":"cri-o-debuginfo-1.23.2-2.oe2203sp1.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP1" }, "product_id":"cri-o-debugsource-1.23.2-2.oe2203sp1.aarch64.rpm", "name":"cri-o-debugsource-1.23.2-2.oe2203sp1.aarch64.rpm" }, "name":"cri-o-debugsource-1.23.2-2.oe2203sp1.aarch64.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP1" }, "product_id":"cri-o-1.23.2-2.oe2203sp1.src.rpm", "name":"cri-o-1.23.2-2.oe2203sp1.src.rpm" }, "name":"cri-o-1.23.2-2.oe2203sp1.src.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"x86_64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP1" }, "product_id":"cri-o-1.23.2-2.oe2203sp1.x86_64.rpm", "name":"cri-o-1.23.2-2.oe2203sp1.x86_64.rpm" }, "name":"cri-o-1.23.2-2.oe2203sp1.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP1" }, "product_id":"cri-o-debuginfo-1.23.2-2.oe2203sp1.x86_64.rpm", "name":"cri-o-debuginfo-1.23.2-2.oe2203sp1.x86_64.rpm" }, "name":"cri-o-debuginfo-1.23.2-2.oe2203sp1.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP1" }, "product_id":"cri-o-debugsource-1.23.2-2.oe2203sp1.x86_64.rpm", "name":"cri-o-debugsource-1.23.2-2.oe2203sp1.x86_64.rpm" }, "name":"cri-o-debugsource-1.23.2-2.oe2203sp1.x86_64.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-22.03-LTS-SP1", "product_reference":"cri-o-1.23.2-2.oe2203sp1.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP1:cri-o-1.23.2-2.oe2203sp1.aarch64", "name":"cri-o-1.23.2-2.oe2203sp1.aarch64 as a component of openEuler-22.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP1", "product_reference":"cri-o-debuginfo-1.23.2-2.oe2203sp1.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP1:cri-o-debuginfo-1.23.2-2.oe2203sp1.aarch64", "name":"cri-o-debuginfo-1.23.2-2.oe2203sp1.aarch64 as a component of openEuler-22.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP1", "product_reference":"cri-o-debugsource-1.23.2-2.oe2203sp1.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP1:cri-o-debugsource-1.23.2-2.oe2203sp1.aarch64", "name":"cri-o-debugsource-1.23.2-2.oe2203sp1.aarch64 as a component of openEuler-22.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP1", "product_reference":"cri-o-1.23.2-2.oe2203sp1.src.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP1:cri-o-1.23.2-2.oe2203sp1.src", "name":"cri-o-1.23.2-2.oe2203sp1.src as a component of openEuler-22.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP1", "product_reference":"cri-o-1.23.2-2.oe2203sp1.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP1:cri-o-1.23.2-2.oe2203sp1.x86_64", "name":"cri-o-1.23.2-2.oe2203sp1.x86_64 as a component of openEuler-22.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP1", "product_reference":"cri-o-debuginfo-1.23.2-2.oe2203sp1.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP1:cri-o-debuginfo-1.23.2-2.oe2203sp1.x86_64", "name":"cri-o-debuginfo-1.23.2-2.oe2203sp1.x86_64 as a component of openEuler-22.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP1", "product_reference":"cri-o-debugsource-1.23.2-2.oe2203sp1.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP1:cri-o-debugsource-1.23.2-2.oe2203sp1.x86_64", "name":"cri-o-debugsource-1.23.2-2.oe2203sp1.x86_64 as a component of openEuler-22.03-LTS-SP1" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2022-2995", "notes":[ { "text":"Incorrect handling of the supplementary groups in the CRI-O container engine might lead to sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-22.03-LTS-SP1:cri-o-1.23.2-2.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:cri-o-debuginfo-1.23.2-2.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:cri-o-debugsource-1.23.2-2.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:cri-o-1.23.2-2.oe2203sp1.src", "openEuler-22.03-LTS-SP1:cri-o-1.23.2-2.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:cri-o-debuginfo-1.23.2-2.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:cri-o-debugsource-1.23.2-2.oe2203sp1.x86_64" ] }, "remediations":[ { "product_ids":[ "openEuler-22.03-LTS-SP1:cri-o-1.23.2-2.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:cri-o-debuginfo-1.23.2-2.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:cri-o-debugsource-1.23.2-2.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:cri-o-1.23.2-2.oe2203sp1.src", "openEuler-22.03-LTS-SP1:cri-o-1.23.2-2.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:cri-o-debuginfo-1.23.2-2.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:cri-o-debugsource-1.23.2-2.oe2203sp1.x86_64" ], "details":"cri-o security update", "category":"vendor_fix", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-1251" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"HIGH", "baseScore":7.1, "vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version":"3.1" }, "products":[ "openEuler-22.03-LTS-SP1:cri-o-1.23.2-2.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:cri-o-debuginfo-1.23.2-2.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:cri-o-debugsource-1.23.2-2.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:cri-o-1.23.2-2.oe2203sp1.src", "openEuler-22.03-LTS-SP1:cri-o-1.23.2-2.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:cri-o-debuginfo-1.23.2-2.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:cri-o-debugsource-1.23.2-2.oe2203sp1.x86_64" ] } ], "threats":[ { "details":"High", "category":"impact" } ], "title":"CVE-2022-2995" } ] }