kubevirt-container-disk-0.59.0-2.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:12792 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z kubevirt-container-disk-0.59.0-2.1 on GA media These are all security issues fixed in the kubevirt-container-disk-0.59.0-2.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-12792 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:12792 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2023-26484/ SUSE CVE CVE-2023-26484 page openSUSE Tumbleweed kubevirt-container-disk-0.59.0-2.1 kubevirt-manifests-0.59.0-2.1 kubevirt-tests-0.59.0-2.1 kubevirt-virt-api-0.59.0-2.1 kubevirt-virt-controller-0.59.0-2.1 kubevirt-virt-exportproxy-0.59.0-2.1 kubevirt-virt-exportserver-0.59.0-2.1 kubevirt-virt-handler-0.59.0-2.1 kubevirt-virt-launcher-0.59.0-2.1 kubevirt-virt-operator-0.59.0-2.1 kubevirt-virtctl-0.59.0-2.1 obs-service-kubevirt_containers_meta-0.59.0-2.1 kubevirt-container-disk-0.59.0-2.1 as a component of openSUSE Tumbleweed kubevirt-manifests-0.59.0-2.1 as a component of openSUSE Tumbleweed kubevirt-tests-0.59.0-2.1 as a component of openSUSE Tumbleweed kubevirt-virt-api-0.59.0-2.1 as a component of openSUSE Tumbleweed kubevirt-virt-controller-0.59.0-2.1 as a component of openSUSE Tumbleweed kubevirt-virt-exportproxy-0.59.0-2.1 as a component of openSUSE Tumbleweed kubevirt-virt-exportserver-0.59.0-2.1 as a component of openSUSE Tumbleweed kubevirt-virt-handler-0.59.0-2.1 as a component of openSUSE Tumbleweed kubevirt-virt-launcher-0.59.0-2.1 as a component of openSUSE Tumbleweed kubevirt-virt-operator-0.59.0-2.1 as a component of openSUSE Tumbleweed kubevirt-virtctl-0.59.0-2.1 as a component of openSUSE Tumbleweed obs-service-kubevirt_containers_meta-0.59.0-2.1 as a component of openSUSE Tumbleweed KubeVirt is a virtual machine management add-on for Kubernetes. In versions 0.59.0 and prior, if a malicious user has taken over a Kubernetes node where virt-handler (the KubeVirt node-daemon) is running, the virt-handler service account can be used to modify all node specs. This can be misused to lure-in system-level-privileged components which can, for instance, read all secrets on the cluster, or can exec into pods on other nodes. This way, a compromised node can be used to elevate privileges beyond the node until potentially having full privileged access to the whole cluster. The simplest way to exploit this, once a user could compromise a specific node, is to set with the virt-handler service account all other nodes to unschedulable and simply wait until system-critical components with high privileges appear on its node. No patches are available as of time of publication. As a workaround, gatekeeper users can add a webhook which will block the `virt-handler` service account to modify the spec of a node. CVE-2023-26484 openSUSE Tumbleweed:kubevirt-container-disk-0.59.0-2.1 openSUSE Tumbleweed:kubevirt-manifests-0.59.0-2.1 openSUSE Tumbleweed:kubevirt-tests-0.59.0-2.1 openSUSE Tumbleweed:kubevirt-virt-api-0.59.0-2.1 openSUSE Tumbleweed:kubevirt-virt-controller-0.59.0-2.1 openSUSE Tumbleweed:kubevirt-virt-exportproxy-0.59.0-2.1 openSUSE Tumbleweed:kubevirt-virt-exportserver-0.59.0-2.1 openSUSE Tumbleweed:kubevirt-virt-handler-0.59.0-2.1 openSUSE Tumbleweed:kubevirt-virt-launcher-0.59.0-2.1 openSUSE Tumbleweed:kubevirt-virt-operator-0.59.0-2.1 openSUSE Tumbleweed:kubevirt-virtctl-0.59.0-2.1 openSUSE Tumbleweed:obs-service-kubevirt_containers_meta-0.59.0-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-26484.html CVE-2023-26484 https://bugzilla.suse.com/1209359 SUSE Bug 1209359