
Kubernetes and CRI-O release patch for vulnerability today; CrowdStrike customers protected
- CrowdStrike cloud security researchers discovered a new vulnerability (dubbed “cr8escape” and tracked as CVE-2022-0811) in the Kubernetes container engine CRI-O.
- CrowdStrike disclosed the vulnerability to Kubernetes, which worked with CRI-O to issue a patch that was released today.
- It is recommended that CRI-O users patch immediately.
- CrowdStrike customers are protected from this threat by the Falcon sensor for Linux or the Falcon Cloud Workload Protection module.
Summary
CrowdStrike’s Cloud Threat Research team discovered a new vulnerability (CVE-2022-0811) in CRI-O (a container runtime engine underpinning Kubernetes). Dubbed “cr8escape,” when invoked, an attacker could escape from a Kubernetes container and gain root access to the host and be able to move anywhere in the cluster. Invocation of CVE-2022-0811 can allow an attacker to perform a variety of actions on objectives, including execution of malware, exfiltration of data and lateral movement across pods.
Attempted exploits of this vulnerability can be detected by the Falcon sensor for Linux or the Falcon Cloud Workload Protection module. CrowdStrike disclosed the vulnerability to Kubernetes, which worked with CRI-O to issue a patch that was released today. The CVE score is 8.8 (High) and the potential impact is widespread, as many software and platforms use CRI-O by default. It is recommended that CRI-O users patch immediately. CrowdStrike customers can use Falcon Spotlight™ vulnerability management to see which hosts are affected and patch where recommended to aid against exploitation.
Kubernetes uses a container runtime like CRI-O or Docker to safely share each node’s kernel and resources with the various containerized applications running on it. The Linux kernel accepts runtime parameters that control its behavior. Some parameters are namespaced and can therefore be set in a single container without impacting the system at large. Kubernetes and the container runtimes it drives allow pods to update these “safe” kernel settings while blocking access to others.
CrowdStrike’s Cloud Threat Research team discovered a flaw introduced in CRI-O version 1.19 that allows an attacker to bypass these safeguards and set arbitrary kernel parameters on the host. As a result of CVE-2022-0811, anyone with rights to deploy a pod on a Kubernetes cluster that uses the CRI-O runtime can abuse the “kernel.core_pattern” parameter to achieve container escape and arbitrary code execution as root on any node in the cluster.
Impact
Directly Affected Software
- CRI-O version 1.19+
To determine if a host is affected: run
crio —version
Indirectly Affected Software and Platforms
While the vulnerability is in CRI-O, software and platforms that depend on it are also likely to be vulnerable, including:
- OpenShift 4+
- Oracle Container Engine for Kubernetes
Detection
The CrowdStrike Falcon sensor included in the CrowdStrike Falcon Cloud Workload Protection module, which protects Kubernetes and containers, will detect attempts to exploit CVE-2022-0811 as privilege escalation. The Falcon sensor for Linux is able to see the pinns utility command execution and detect and prevent this behavior during runtime.
Source: CrowdStrike Blog
Fachartikel

McDonald’s: Schwache Zugangsdaten legen 64 Millionen Bewerbungen offen

FoxyWallet: Über 40 schadhafte Firefox-Erweiterungen tarnen sich als Krypto-Tools

SAP-Patch-Tag im Juli 2025: Rekordzahl an Patches und kritische Deserialisierungslücken

Unsicherer Systemstart: Sicherheitslücke in initramfs erlaubt Umgehung von Linux-Bootschutz

SAP Patch Day: Juli 2025
Studien

PwC-Studie: Compliance neu denken – Tempo schlägt Bürokratie

Cohesity-Studie: Mensch bleibt größtes Sicherheitsrisiko in der IT

IT-Security-Fachkräfte: Schlüsselrolle für die digitale Sicherheit der Zukunft

WatchGuard Internet Security Report: Einzigartige Malware steigt um 171 Prozent – KI-Boom treibt Bedrohungen voran

Zwei Drittel der EU-Institutionen erfüllen grundlegende Cybersicherheitsstandards nicht
Whitepaper

ISACA veröffentlicht Leitfaden zu NIS2 und DORA: Orientierungshilfe für Europas Unternehmen

CISA und US-Partner warnen kritische Infrastrukturen vor möglichen Cyberangriffen aus dem Iran

Dating-Apps: Intime Einblicke mit Folgen

Europol-Bericht warnt vor KI-Vorurteilen in der Strafverfolgung – Leitfaden für verantwortungsvollen Technologieeinsatz veröffentlicht
