Plattform
linux
Komponente
openshift-update-service
Behoben in
1.10.0
2.5.4
CVE-2025-57854 describes a privilege escalation vulnerability discovered in Red Hat OpenShift Update Service (OSUS) images. This flaw allows attackers with command execution capabilities within a container to potentially gain root privileges by manipulating the /etc/passwd file. The vulnerability impacts versions 1.0.0 through 2.5.3 of OSUS, and a fix is available in version 2.5.4.
The primary impact of CVE-2025-57854 is the potential for an attacker to escalate their privileges to root within a container. This allows them to execute arbitrary commands with the highest level of access, effectively taking control of the container's environment. An attacker could then access sensitive data stored within the container, modify system configurations, or even use the compromised container as a launchpad for lateral movement within the broader infrastructure. The blast radius extends to any data or services hosted within the affected container. While the vulnerability requires command execution within the container, the ease of achieving this in some scenarios makes it a significant risk, particularly in environments where containers are used to host critical applications or sensitive data.
CVE-2025-57854 was published on 2026-04-08. Its severity is currently being evaluated. No public Proof-of-Concept (POC) exploits are currently known. There are no indications of active campaigns targeting this vulnerability at this time. Monitor security advisories from Red Hat for updates and further information.
Organizations utilizing Red Hat OpenShift Update Service in production environments, particularly those running versions 1.0.0 through 2.5.3, are at risk. Environments with less stringent container security policies or those relying on default configurations are especially vulnerable. Shared hosting environments using OSUS also face increased risk due to the potential for cross-container contamination.
• linux / server:
journalctl -u osus -g 'passwd modification'• linux / server:
find / -perm -g+w -name 'passwd' 2>/dev/null• linux / server:
ps aux | grep -i passwddisclosure
Exploit-Status
EPSS
0.00% (0% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-57854 is to upgrade Red Hat OpenShift Update Service to version 2.5.4 or later, which contains the fix. If immediate upgrading is not possible, consider implementing temporary workarounds. Restrict access to the container to only authorized users and processes. Implement strict container resource limits to minimize the potential impact of a successful exploit. Monitor container logs for suspicious activity, particularly attempts to modify the /etc/passwd file. Consider using a Web Application Firewall (WAF) or reverse proxy to filter traffic and block malicious requests. After upgrading, verify the fix by attempting to create a new user with UID 0 within a container running the patched version; this should fail.
Actualice a la versión 2.5.4 o posterior de Red Hat OpenShift Update Service. Esta versión corrige el problema al asegurar que el archivo /etc/passwd se cree con permisos adecuados, evitando la modificación no autorizada por usuarios con privilegios de grupo root.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-57854 is a medium severity vulnerability in Red Hat OpenShift Update Service allowing attackers to potentially gain root privileges within a container by modifying the /etc/passwd file.
You are affected if you are running Red Hat OpenShift Update Service versions 1.0.0 through 2.5.3. Upgrade to 2.5.4 or later to mitigate the risk.
Upgrade to Red Hat OpenShift Update Service version 2.5.4 or later. Consider stricter container security policies as an interim measure.
Currently, there are no confirmed reports of active exploitation, but the vulnerability has been added to the CISA KEV catalog, indicating potential risk.
Refer to the official Red Hat security advisory for detailed information and updates: https://access.redhat.com/security/cve/CVE-2025-57854
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.