Ensure containers with remote code execution CVEs are not granted privileged access through PSP
Error: A container with an RCE CVE has privileged access through PSP that can lead to a container escape
Bridgecrew Policy ID: BC_P3D_1
Severity: CRITICAL
A container with an RCE CVE has privileged access through PSP that can lead to a container escape
Description
A container escape is when an attacker can gain access to the node where the container is hosted. A remote code execution (RCE) vulnerability is a flaw in a package that allows for an attacker to execute arbitrary code. If a container has an RCE CVE and that container was granted privilege through a Pod Security Policy, then attackers can execute code to break out of a container and gain access to the host node.
Fix - Buildtime
Multiple Services
-
If available, patch the CVE by bumping the package.
-
Explicitly disable privilege access. This may cause breaks if a container was leverage privilege before.
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: <policy name>
spec:
+ privileged: false
Updated 10 months ago