Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 428
Alerts This Week
Warning Icon 1 428

SUSE: 2022:3321-1 Important Update for KubeVirt Security Issues

suse
Calendar Grey September 20, 2022
Dist Suse Esm H88
An important SUSE security update addressing KubeVirt vulnerabilities is now available, including critical fix details.
An update that solves three vulnerabilities and has two fixes is now available

Summary

This update for kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools-container, virt-operator-container fixes the following issues: Security issues fixed: - CVE-2022-1798: Fix arbitrary file read on the host from KubeVirt VMs (bsc#1202516) Security issues fixed in vendored dependencies: - CVE-2022-1996: Fixed go-restful CORS bypass (bsc#1200528) - CVE-2022-29162: Fixed runc incorrect handling of inheritable capabilities in default configuration (bsc#1199460) Other fixes: - Pack nft rules and nsswitch.conf for virt-handler - Only create 1MiB-aligned disk images (bsc#1199603) - Avoid to return nil failure message - Use semantic equality comparison - Allow to configure utility containers for update test

References

#1199392 #1199460 #1199603 #1200528 #1202516

Cross- CVE-2022-1798 CVE-2022-1996 CVE-2022-29162

CVSS scores:

CVE-2022-1798 (NVD) : 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

CVE-2022-1798 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE-2022-1996 (NVD) : 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVE-2022-1996 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2022-29162 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2022-29162 (SUSE): 4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Affected Products:

SUSE Linux Enterprise High Performance Computing 15-SP3

SUSE Linux Enterprise Module for Containers 15-SP3

SUSE Linux Enterprise Server 15-SP3

SUSE Linux Enterprise Server for SAP Applications 15-SP3

Announcement ID: SUSE-SU-2022:3321-1
Rating: important

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.