CVE-2023-6476: 
CRI-O vulnerability analysis and mitigation

A flaw was discovered in CRI-O (CVE-2023-6476) involving an experimental annotation that leads to container unconfined status. The vulnerability was disclosed on January 9, 2024, affecting CRI-O container runtime implementations. The issue impacts various versions of Red Hat OpenShift Container Platform and related CRI-O implementations (NVD, Red Hat CVE).

The vulnerability stems from a bug in the experimental annotation support added in 2021 for special resources in cgroupv2. The annotation 'io.kubernetes.cri-o.UnifiedCgroup' was intended to be filtered from allowed annotations but due to an implementation flaw, any user can specify this annotation regardless of node settings. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) by NIST and 6.5 (MEDIUM) by Red Hat (NVD).

When exploited, this vulnerability allows a pod to specify and obtain any amount of memory/CPU resources, effectively bypassing the Kubernetes scheduler's resource controls. This can potentially result in a denial of service condition on the affected node by consuming excessive resources (Red Hat Bugzilla).

The vulnerability has been patched in CRI-O versions 1.29.1, 1.28.3, and 1.27.3. Red Hat has released security updates for affected versions of OpenShift Container Platform through multiple security advisories including RHSA-2024:0195 and RHSA-2024:0207. Users are advised to upgrade to these patched versions (Red Hat Advisory, Red Hat Advisory).