CVE-2022-1798: 
NixOS vulnerability analysis and mitigation

A path traversal vulnerability was discovered in KubeVirt versions up to 0.56 (and 0.55.1) affecting all platforms. The vulnerability, identified as CVE-2022-1798, allows users with permissions to configure KubeVirt to read arbitrary files on the host filesystem that are publicly readable or accessible to UID 107 or GID 107, though /proc/self/<> remains inaccessible. The vulnerability was disclosed on September 14, 2022 (GitHub Advisory).

The vulnerability exists due to improper validation of path fields in the VMI (VirtualMachineInstance) spec. Three main attack vectors were identified: 1) Relative paths in spec.domain.firmware.kernelBoot.container fields (kernelPath and initrdPath) and spec.volumes[*].containerDisk.path, 2) Malicious links in containerDisk images, and 3) PVC hotplugging with absolute links. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (MEDIUM) by NIST and 8.7 (HIGH) by Google Inc., with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N (NVD).

When exploited, this vulnerability allows attackers to read any publicly readable files on the host filesystem or files readable by UID/GID 107. This could lead to exposure of sensitive information stored in host system files, potentially compromising system security (GitHub Advisory).

Several mitigation strategies are available: 1) Upgrade to KubeVirt version 0.55.1 which contains patches fixing the vulnerability, 2) Disable the HotplugVolumes feature-gate, 3) Use policy controllers to prevent containerDisk addition and spec.domain.firmware.kernelBoot usage on VirtualMachineInstances, 4) Enable SELinux, though this doesn't provide 100% guarantee as vm-to-vm reads may still work (GitHub Advisory).